简体繁体 English

如何锁定（或沙箱）JDK的内置Javascript解释器来运行不受信任的脚本

[英]How to lock down (or sandbox) JDK's built-in Javascript interpreter to run untrusted scripts

原文 2010-01-27 23:33:22 5 2 javascript/ security/ sandbox/ jdk1.6

we have a Java application and would like to run untrusted code using the built in Javascript interpreter (javax.script.*) 我们有一个Java应用程序，并希望使用内置的Javascript解释器（javax.script。*）运行不受信任的代码

However by default the interpreter allows access to any java class. 但是，默认情况下，解释器允许访问任何java类。 For example " java.lang.System.exit(0) " in the script will shutdown the JVM. 例如，脚本中的“ java.lang.System.exit(0) ”将关闭JVM。 I believe this is called "Live Connect", see Sun's "Java Scripting Programmer's Guide" for more details. 我相信这称为“Live Connect”，有关详细信息，请参阅Sun的“Java脚本编程程序指南”。

I would like to somehow turn off the ability for the script to access Java classes, ie I only want the script to be able to access objects that I specifically inject in using the eval() or put() methods on ScriptEngine . 我想以某种方式关闭脚本访问Java类的能力，即我只希望脚本能够使用ScriptEngine上的eval()或put()方法访问我专门注入的对象。

I have found some documentation on how to achieve this with older standalone version of the interpreter (Rhino), for example see http://codeutopia.net/blog/2009/01/02/sandboxing-rhino-in-java/ 我找到了一些关于如何使用旧版独立版本的解释器（Rhino）实现此目的的文档，例如参见http://codeutopia.net/blog/2009/01/02/sandboxing-rhino-in-java/

However this approach is not possible in JDK 1.6 without using sun internal classes, as the ClassShutter etc is all setup internally and cannot be overridden with public methods. 但是，如果不使用sun内部类，JDK 1.6中的这种方法是不可能的，因为ClassShutter等都是内部设置的，不能用公共方法覆盖。

I am hoping there is a simple way around this that does not require jumping through complex hoops using a custom SecurityManager, ClassLoader, etc. but have not been able to find anything. 我希望有一个简单的方法，不需要使用自定义的SecurityManager，ClassLoader等跳过复杂的箍，但无法找到任何东西。

You would expect with the frequency of security bulletins surrounding Javascript in different applications, there would be a simple flag to disable Live Connect! 你会期望在不同的应用程序中围绕Javascript的安全公告的频率，会有一个简单的标志来禁用Live Connect！

2 个解决方案

Have a look at the java sandbox library and the post on how to do exactly what you want for groovy ( http://blog.datenwerke.net/2013/06/sandboxing-groovy-with-java-sandbox.html ). 看看java沙箱库和关于如何准确完成groovy所需的帖子（ http://blog.datenwerke.net/2013/06/sandboxing-groovy-with-java-sandbox.html ）。 Rhino can be tackled in a similar fashion. 犀牛可以以类似的方式解决。

I searched a lot, tried out codeutopia.net's blog sandboxing way and other SecurityManager solutions, felt unsatisfied. 我搜索了很多，尝试了codeutopia.net的博客沙箱方式和其他SecurityManager解决方案，感到不满意。 And then came out my class loader solution, basing on JDK embedded rhino library without importing any 3rd-parties libraries. 然后出来了我的类加载器解决方案，基于JDK嵌入式rhino库而不导入任何第三方库。 Two java classes with about 200 lines of codes, it is currently my simplest solution that fits my JavaScript only requirement. 两个带有大约200行代码的java类，它是目前我最简单的解决方案，符合我的JavaScript唯一要求。

Find out JavaScript script engine factory class name by ScriptEngineManager#getEngineFactories 通过ScriptEngineManager＃getEngineFactories找出JavaScript脚本引擎工厂类名
Load script engine factory class in a new class loader, in which JavaMembers or other related classes will be ignored. 在新的类加载器中加载脚本引擎工厂类，其中将忽略JavaMembers或其他相关类。
Call #getScriptEngine on loaded script engine factory and eval scripts on returned script engine. 在已加载的脚本引擎工厂上调用#getScriptEngine，在返回的脚本引擎上调用eval脚本。

If given script contains Java script, class loader will try to load JavaMembers or other classes and trigger class not found exceptions. 如果给定脚本包含Java脚本，则类加载器将尝试加载JavaMembers或其他类并触发类未找到的异常。 In this way, malicious scripts will be ignored without execution. 这样，恶意脚本将被忽略而不执行。

Please read ConfigJSParser.java and ConfigJSClassLoader.java files for more details: 有关更多详细信息，请阅读ConfigJSParser.java和ConfigJSClassLoader.java文件：

https://github.com/webuzz/simpleconfig/tree/master/js/im/webuzz/config https://github.com/webuzz/simpleconfig/tree/master/js/im/webuzz/config