Nashorn / jjs安全性:在服务器端执行用户脚本
[英]Nashorn/jjs security: executing a user's script on server side
问题描述
I'm writing an application where the user can provide a custom javascript function to filter a file on the server side using nashorn/jjs: 
我正在编写一个应用程序,用户可以在其中提供自定义javascript函数,以使用nashorn / jjs在服务器端过滤文件:
cat /etc/js/library.js user.js > tmp.js &&
cat /path/to/input.txt | jjs --language=es6 -doe -J-Djava.security.manager tmp.js > /path/to/output.txt &&
rm tmp.js
I know that the user could write an infinite loop to fill my disk: 我知道用户可以编写一个无限循环来填充我的磁盘:
for(;;) print("#####);
But is -J-Djava.security.manager sufficient to prevent him to read/write a file on the filesystem ? 但是-J-Djava.security.manager足以阻止他读取/写入文件系统上的文件?
Thanks. 谢谢。
1 个解决方案
解决方案1
2 已采纳 2016-10-26 08:14:26
You're right. 你是对的。 Once you set java security manager, your scripts are "sandboxed". 设置Java安全管理器后,脚本将被“沙盒化”。 Unless you write explicit security policy where you grant specific permissions to specific scripts, only sandbox permissions are given to scripts. 除非您编写明确的安全策略以向特定脚本授予特定权限,否则只有沙箱权限才授予脚本。 You can safely run unsecure scripts. 您可以安全地运行不安全的脚本。 To grant specific permissions to specific scripts, you need to load script from trusted URLs and use those URLs in security policy: 要向特定脚本授予特定权限,您需要从受信任的URL加载脚本并在安全策略中使用这些URL:
See also: https://wiki.openjdk.java.net/display/Nashorn/Nashorn+script+security+permissions 另请参阅: https : //wiki.openjdk.java.net/display/Nashorn/Nashorn+script+security+permissions
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.