Class JsSanitizer

java.lang.Object

delight.nashornsandbox.internal.JsSanitizer

public class JsSanitizer
extends Object

JavaScript sanitizer. Check for loops and inserts function call which breaks script execution when JS engine thread is interrupted.

Created on 2017.11.22

Version:

$Id$

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
private static class	JsSanitizer.PoisonPil

Field Summary

Fields

Modifier and Type	Field	Description
private final boolean	allowNoBraces	true when lack of braces is allowed.
private static final List<String>	BEAUTIFY_FUNCTIONS	The beautify function search list.
private static final String	BEAUTIFY_JS	The resource name of beautify.min.js script.
private static final Map<String,Object>	BEAUTIFY_OPTIONS	The beautifier options.
private static SoftReference<String>	beautifysScript	Soft reference to the text of the js script.
(package private) static final String	JS_INTERRUPTED_FUNCTION	The name of the JS function to be inserted into user script.
(package private) static final String	JS_INTERRUPTED_TEST	The name of the variable which holds reference to interruption checking class.
private final Function<String,String>	jsBeautify	JS beautify() function reference.
private static final List<Pattern>	LACK_EXPECTED_BRACES	Pattern for back braces.
private static final List<JsSanitizer.PoisonPil>	POISON_PILLS
private final ScriptEngine	scriptEngine
private final SecuredJsCache	securedJsCache

Constructor Summary

Constructors

Constructor	Description
JsSanitizer(ScriptEngine scriptEngine, boolean allowBraces, SecuredJsCache cache)
JsSanitizer(ScriptEngine scriptEngine, int maxPreparedStatements, boolean allowBraces)

Method Summary

Modifier and Type	Method	Description
private void	assertScriptEngine()
private static Function<String,String>	beautifierAsFunction(Object beautifyScript)
(package private) String	beautifyJs(String js)
(package private) void	checkBraces(String beautifiedJs)	After beautifier every braces should be in place, if not, or too many we need to prevent script execution.
private void	checkJs(String js)
private SecuredJsCache	createSecuredJsCache(int maxPreparedStatements)
private static Object	getBeautifHandler(ScriptEngine scriptEngine)
private static String	getBeautifyJs()
private String	getPreamble()
(package private) String	injectInterruptionCalls(String str)
private SecuredJsCache	newSecuredJsCache(int maxPreparedStatements)
String	secureJs(String js)
private String	secureJsImpl(String js)

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

BEAUTIFY_JS

private static final String BEAUTIFY_JS

The resource name of beautify.min.js script.

See Also:

• Constant Field Values

BEAUTIFY_FUNCTIONS

private static final List<String> BEAUTIFY_FUNCTIONS

The beautify function search list.

JS_INTERRUPTED_FUNCTION

static final String JS_INTERRUPTED_FUNCTION

The name of the JS function to be inserted into user script. To prevent collisions random suffix is added.

See Also:

• Constant Field Values

JS_INTERRUPTED_TEST

static final String JS_INTERRUPTED_TEST

The name of the variable which holds reference to interruption checking class. To prevent collisions random suffix is added.

See Also:

• Constant Field Values

POISON_PILLS

private static final List<JsSanitizer.PoisonPil> POISON_PILLS

BEAUTIFY_OPTIONS

private static final Map<String,Object> BEAUTIFY_OPTIONS

The beautifier options. Don't change if you are not know what you are doing, because regexps are depended on it.

beautifysScript

private static SoftReference<String> beautifysScript

Soft reference to the text of the js script.

scriptEngine

private final ScriptEngine scriptEngine

jsBeautify

private final Function<String,String> jsBeautify

JS beautify() function reference.

securedJsCache

private final SecuredJsCache securedJsCache

allowNoBraces

private final boolean allowNoBraces

true when lack of braces is allowed.

LACK_EXPECTED_BRACES

private static final List<Pattern> LACK_EXPECTED_BRACES

Pattern for back braces.

Constructor Details

JsSanitizer

JsSanitizer(ScriptEngine scriptEngine,
 int maxPreparedStatements,
 boolean allowBraces)

JsSanitizer

JsSanitizer(ScriptEngine scriptEngine,
 boolean allowBraces,
 SecuredJsCache cache)

Method Details

assertScriptEngine

private void assertScriptEngine()

getBeautifHandler

private static Object getBeautifHandler(ScriptEngine scriptEngine)

createSecuredJsCache

private SecuredJsCache createSecuredJsCache(int maxPreparedStatements)

newSecuredJsCache

private SecuredJsCache newSecuredJsCache(int maxPreparedStatements)

checkBraces

void checkBraces(String beautifiedJs)
          throws BracesException

After beautifier every braces should be in place, if not, or too many we need to prevent script execution.

Parameters:

beautifiedJs - evaluated script

Throws:

BracesException - when braces are incorrect

injectInterruptionCalls

String injectInterruptionCalls(String str)

getPreamble

private String getPreamble()

checkJs

private void checkJs(String js)

secureJs

public String secureJs(String js)
                throws ScriptException

Throws:

ScriptException

secureJsImpl

private String secureJsImpl(String js)
                     throws BracesException

Throws:

BracesException

beautifyJs

String beautifyJs(String js)

getBeautifyJs

private static String getBeautifyJs()

beautifierAsFunction

private static Function<String,String> beautifierAsFunction(Object beautifyScript)