安全Nashorn JS执行 [英] Secure Nashorn JS Execution
问题描述
如何使用Java8 Nashorn安全地执行一些用户提供的JS代码?
How can I securely execute some user supplied JS code using Java8 Nashorn?
该脚本扩展了一些基于servlet的报告的计算。该应用程序有许多不同(不受信任)的用户。脚本应该只能访问Java对象和已定义成员返回的Java对象。默认情况下,脚本可以使用Class.forName()(使用我提供的对象的.getClass())实例化任何类。有没有办法禁止访问我未明确指定的任何java类?
The script extends some computations for some servlet based reports. The app has many different (untrusted) users. The scripts should only be able to access a Java Object and those returned by the defined members. By default the scripts could instantiate any class using Class.forName() (using .getClass() of my supplied object). Is there any way to prohibit access to any java class not explicitly specified by me?
推荐答案
对于
的最佳方法是否有任何建议限制Nashorn脚本可以为白名单创建的类?
或者方法与任何JSR223引擎相同(ScriptEngineManager构造函数上的自定义类加载器
)?
Are there any recommendations for the best way to restrict the classes that Nashorn scripts can create to a whitelist? Or is the approach the same as any JSR223 engine (custom classloader on the ScriptEngineManager constructor)?
从Nashorn开发者那里得到了这个答案:
And got this answer from one of the Nashorn devs:
-
Nashorn已经过滤了类 - 只有非敏感包的公共类(列出的包) package.access安全
属性又名'敏感')。包访问检查是从
无权限上下文完成的。即,只允许从无权限类访问
的任何包。
Nashorn already filters classes - only public classes of non-sensitive packages (packages listed in package.access security property aka 'sensitive'). Package access check is done from a no-permissions context. i.e., whatever package that can be accessed from a no-permissions class are only allowed.
Nashorn过滤Java反射和jsr292访问 - 除非脚本拥有RuntimePermission(nashorn.JavaReflection),脚本不会是
能够进行反射。
Nashorn filters Java reflective and jsr292 access - unless script has RuntimePermission("nashorn.JavaReflection"), the script wont be able to do reflection.
以上两个要求在启用SecurityManager的情况下运行。在没有安全管理器的情况下,上述过滤将不适用。
The above two require running with SecurityManager enabled. Under no security manager, the above filtering won't apply.
您可以删除全局Java.type函数和Packages对象(+ com,edu,java,全局范围内的javafx,javax,org,JavaImporter和/或
用您实现的任何过滤功能替换它们。
因为,这些是从脚本访问Java的唯一入口点,
自定义这些函数=>从脚本过滤Java访问。
You could remove global Java.type function and Packages object (+ com,edu,java,javafx,javax,org,JavaImporter) in global scope and/or replace those with whatever filtering functions that you implement. Because, these are the only entry points to Java access from script, customizing these functions => filtering Java access from scripts.
有一个未记录的选项(现在只用于运行test262测试)nashorn shell的--no-java为您完成上述操作。例如,
Nashorn不会在全局范围内初始化Java钩子。
There is an undocumented option (right now used only to run test262 tests) "--no-java" of nashorn shell that does the above for you. i.e., Nashorn won't initialize Java hooks in global scope.
JSR223不提供任何基于标准的钩子来传递自定义类加载器。这可能必须在(可能的)未来的
更新jsr223中解决。
JSR223 does not provide any standards based hook to pass a custom class loader. This may have to be addressed in a (possible) future update of jsr223.
希望这有助于,
-Sundar
这篇关于安全Nashorn JS执行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
