stackoom
  简体   繁体   中英

How to secure scripting with JSR 223?

 原文  2011-07-08 09:06:40       java/ security/ groovy/ scriptengine/ jsr223

Question

I use Groovy as dynamic script engine to allow admin users of my web application to create little scripts as part of an interface solution, eg. do simple string operations, tokenize and so on.
Unfortunately that opens quite a big loophole because per default the script engine would execute anything.
I described a demo app here: http://javadude.wordpress.com/2011/06/29/creating-a-zk-groovy-console/

Object value = shell.evaluate("whatever groovy script");

You can execute System.exit(0) which shuts down the AS or even shell commands like "ls -l".execute().text or just snoop around system settings println InetAddress.localHost.hostAddress

I could do a string check before executing, like filter for System.xyz or execute.xyz

Any experience or recipes?

Thanks
Sven

1 answers

solution1
 4 ACCPTED  2011-07-08 09:54:08

With groovy 1.8, you can customize the compiler configuration

There's a blog post here which explains more:

http://www.jroller.com/melix/entry/customizing_groovy_compilation_process

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Java + Scripting languages (JSR 223) How do I set up jsr223 scripting with scala as scripting language JSR-223 vs JSR-241 - Scripting language Java Scripting With Nashorn (JSR 223) & Pre-compilation Java + scripting engines: differences between JSR223 + similar alternatives Is OSGi fundamentally incompatible with JSR-223 Scripting Language Discovery? indexOf function on ArrayList<Integer> not work in JSR 223 (Rhino scripting engine) Java Scripting API (JSR223) groovy language limitations Java Scripting (JSR223) = Bean/Script Shells for templating? Sandboxing JSR-223
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM