A secure sandbox for executing JavaScript in Java apps using the Nashorn engine.
Also see Rhino Sandbox.
Part of the Java Delight Suite.
The sandbox by default blocks access to all Java classes.
Classes, which should be used in JavaScript, must be explicitly allowed.
NashornSandbox sandbox = NashornSandboxes.create();
sandbox.allow(File.class);
sandbox.eval("var File = Java.type('java.io.File'); File;")
Or you can inject your java object as a JS global variable
NashornSandboxes sandbox = NashornSandboxes.create();
sandbox.inject("fromJava", new Object());
sandbox.eval("fromJava.getClass();");
The sandbox also allows limiting the CPU time and memory usage of scripts. This allows terminating scripts which contain infinite loops and other problematic code.
NashornSandbox sandbox = NashornSandboxes.create();
sandbox.setMaxCPUTime(100);
sandbox.setMaxMemory(50*1024);
sandbox.allowNoBraces(false);
sandbox.setMaxPreparedStatements(30); // because preparing scripts for execution is expensive
sandbox.setExecutor(Executors.newSingleThreadExecutor());
sandbox.eval("var o={}, i=0; while (true) {o[i++]='abc';};");
This code will raise a ScriptCPUAbuseException.
The sandbox beautifies the JavaScript code for this and injects additional statements into the submitted code. It is thus possible that the original line numbers from the submitted JS code are not preserved. To debug the code, which is generated by the sandbox, activate its debug mode as follows using log4j.properties file:
log4j.logger.delight.nashornsandbox.internal.NashornSandboxImpl=DEBUG
This will output the generated JS on the console as follows:
--- Running JS ---
var \__it = Java.type('delight.nashornsandbox.internal.InterruptTest');var \__if=function(){\__it.test();};
while(true) {__if();
i = i+1;
}
--- JS END ---
Just add the following dependency to your projects.
<dependency>
<groupId>org.javadelight</groupId>
<artifactId>delight-nashorn-sandbox</artifactId>
<version>[insert latest version]</version>
</dependency>
This artifact is available on Maven Central and BinTray.
If you are looking for a JAR with all dependencies, you can also download it from here.
Eduardo Velasques: API extensions to block/allow Rhino system functions; Capability to block/allow variables after Sandbox has been created.
Marcin Gołębski: Major refactoring and performance improvements. Among other things improved the performance for JS evaluation and better handling of monitoring for threads for possible CPU abuse (#23).
- 0.1.11: Added support for custom parameters in creating Nashorn Script engine (see issue #40).
- 0.1.10: Added createBindings to the API to allow overriding global properties (see PR #39 by Srinivasa Chintalapati)
- 0.1.9: Fixed bug #36
- 0.1.8: Fixed that
do
,while
andfor
in comments might cause BracesExceptions (see bug #34) - 0.1.7: Used webjar dependency for BeautifyJS and slf4j as logging dependency (PR #35 by thjaeckle); Updated license (see bug #32)
- 0.1.6: Fixing bug that monitor checking for CPU abuses would hang when it encountered
monitor.wait(0)
(see issue 30) - 0.1.5: Fixing bug #28 with PR 29 by srinivasarajuch - added support for evaluation JS with specific ScriptContext
- 0.1.4: Fixing bug #27
- 0.1.3: Improving regex for interrupt injections (PR 26), cleaning up code for obtaining JSBeautifier instance (PR 25)
- 0.1.2: Improving way JsBeautifier instance is obtained (PR 24)
- 0.1.1: Making all fields in NashornSandboxImpl
protected
rather thanprivate
(see issue #19) - 0.1.0: Major rework and performance improvements implemented by Marcin Gołębski (PR 23)