如何使用 JSR 223 保护脚本?
[英]How to secure scripting with JSR 223?
问题描述
I use Groovy as dynamic script engine to allow admin users of my web application to create little scripts as part of an interface solution, eg.
我使用 Groovy 作为动态脚本引擎,以允许我的 web 应用程序的管理员用户创建小脚本作为接口解决方案的一部分,例如。 do simple string operations, tokenize and so on.做简单的字符串操作,tokenize 等等。
Unfortunately that opens quite a big loophole because per default the script engine would execute anything.不幸的是,这打开了一个很大的漏洞,因为默认情况下脚本引擎会执行任何操作。
I described a demo app here: http://javadude.wordpress.com/2011/06/29/creating-a-zk-groovy-console/我在这里描述了一个演示应用程序: http://javadude.wordpress.com/2011/06/29/creating-a-zk-groovy-console/
Object value = shell.evaluate("whatever groovy script");
You can execute System.exit(0) which shuts down the AS or even shell commands like "ls -l".execute().text or just snoop around system settings println InetAddress.localHost.hostAddress您可以执行System.exit(0)关闭 AS 甚至 shell 命令,如"ls -l".execute().text或只是窥探系统设置println InetAddress.localHost.hostAddress
I could do a string check before executing, like filter for System.xyz or execute.xyz我可以在执行之前进行字符串检查,例如过滤System.xyz或execute.xyz
Any experience or recipes?有什么经验或食谱吗?
Thanks谢谢
Sven斯文
1 个解决方案
解决方案1
4 已采纳 2011-07-08 09:54:08
With groovy 1.8, you can customize the compiler configuration使用 groovy 1.8,您可以自定义编译器配置
There's a blog post here which explains more:这里有一篇博客文章解释了更多:
http://www.jroller.com/melix/entry/customizing_groovy_compilation_process http://www.jroller.com/melix/entry/customizing_groovy_compilation_process
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.