TechQA.

Nashorn/jjs security: executing a user's script on server side

509 views Asked by At

I'm writing an application where the user can provide a custom javascript function to filter a file on the server side using nashorn/jjs:

cat /etc/js/library.js user.js > tmp.js && 
cat /path/to/input.txt | jjs --language=es6 -doe -J-Djava.security.manager tmp.js > /path/to/output.txt &&
rm tmp.js

I know that the user could write an infinite loop to fill my disk:

for(;;) print("#####);

But is -J-Djava.security.manager sufficient to prevent him to read/write a file on the filesystem ?

Thanks.

javascript java security nashorn jjs
Original Q&A
1

There are 1 answers

2
A. Sundararajan On BEST ANSWER

You're right. Once you set java security manager, your scripts are "sandboxed". Unless you write explicit security policy where you grant specific permissions to specific scripts, only sandbox permissions are given to scripts. You can safely run unsecure scripts. To grant specific permissions to specific scripts, you need to load script from trusted URLs and use those URLs in security policy:

See also: https://wiki.openjdk.java.net/display/Nashorn/Nashorn+script+security+permissions

Related Questions in JAVASCRIPT

Related Questions in JAVA

Related Questions in SECURITY

Related Questions in NASHORN

Related Questions in JJS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions