Class NashornSandboxImpl

java.lang.Object

delight.nashornsandbox.internal.NashornSandboxImpl

All Implemented Interfaces:

NashornSandbox

public class NashornSandboxImpl
extends Object
implements NashornSandbox

Nashorn sandbox implementation.

Created on 2015-08-07

Version:

$Id$

Field Summary

Fields

Modifier and Type	Field	Description
protected boolean	allowExitFunctions
protected boolean	allowGlobalsObjects
protected boolean	allowLoadFunctions
protected boolean	allowNoBraces
protected boolean	allowPrintFunctions
protected boolean	allowReadFunctions
protected Bindings	cached
protected AtomicBoolean	engineAsserted
protected JsEvaluator	evaluator
protected ExecutorService	executor
protected Invocable	lazyInvocable
(package private) static final org.slf4j.Logger	LOG
protected long	maxCPUTime	Maximum CPU time in milliseconds.
protected long	maxMemory	Maximum memory of executor thread used.
protected int	maxPreparedStatements	The size of the LRU cache of prepared statements.
protected final SandboxClassFilter	sandboxClassFilter
protected JsSanitizer	sanitizer
protected final ScriptEngine	scriptEngine
protected SecuredJsCache	suppliedCache

Constructor Summary

Constructors

Constructor	Description
NashornSandboxImpl()
NashornSandboxImpl(String... params)
NashornSandboxImpl(ScriptEngine engine, String... params)

Method Summary

Modifier and Type	Method	Description
void	allow(Class<?> clazz)	Add a new class to the list of allowed classes.
void	allowExitFunctions(boolean v)	Allow Nashorn quit and exit functions.
void	allowGlobalsObjects(boolean v)	Allow Nashorn globals object $ARG, $ENV, $EXEC, $OPTIONS, $OUT, $ERR and $EXIT.
void	allowLoadFunctions(boolean v)	Allow Nashorn load and loadWithNewGlobal functions.
void	allowNoBraces(boolean v)	Force, to check if all blocks are enclosed with curly braces "{}".
void	allowPrintFunctions(boolean v)	Allow Nashorn print and echo functions.
void	allowReadFunctions(boolean v)	Allow Nashorn readLine and readFully functions.
private void	assertScriptEngine()
private void	checkExecutorPresence()
CompiledScript	compile(String js)	Compile the JavaScript string
Bindings	createBindings()	Create new bindings used to replace the state of the current script engine
ScriptEngine	createNashornScriptEngineFactory(String... params)
private SandboxClassFilter	createSandboxClassFilter()
void	disallow(Class<?> clazz)	Remove a class from the list of allowed classes.
void	disallowAllClasses()	Remove all classes from the list of allowed classes.
private boolean	engineBindingUnchanged()
Object	eval(String js)	Evaluates the JavaScript string.
Object	eval(String js, Bindings bindings)	Evaluates the JavaScript string.
Object	eval(String js, ScriptContext scriptContext)	Evaluates the JavaScript string for a given script context
Object	eval(String js, ScriptContext scriptContext, Bindings bindings)	Evaluates the JavaScript string for a given script context
Object	eval(CompiledScript compiledScript)	Run a pre-compiled JavaScript
Object	eval(CompiledScript compiledScript, Bindings bindings)
Object	eval(CompiledScript compiledScript, ScriptContext scriptContext)
Object	eval(CompiledScript compiledScript, ScriptContext scriptContext, Bindings bindings)
protected Object	executeSandboxedOperation(ScriptEngineOperation op)
Object	get(String variableName)	Obtains the value of the specified JavaScript variable.
private JsEvaluator	getEvaluator(ScriptEngineOperation op)
ExecutorService	getExecutor()	Gets the current executor service.
private Invocable	getLazySandboxedInvocable()
Invocable	getSandboxedInvocable()	Returns an Invocable instance, so that method invocations are also sandboxed.
protected JsSanitizer	getSanitizer()
void	inject(String variableName, Object object)	Will add a global variable available to all scripts executed with this sandbox.
boolean	isAllowed(Class<?> clazz)	Check if a class is in the list of allowed classes.
private void	produceSecureBindings()
protected void	resetEngineBindings()
protected void	sanitizeBindings(Bindings bindings)
protected Bindings	secureBindings(Bindings bindings)
void	setExecutor(ExecutorService executor)	Specifies the executor service which is used to run scripts when a CPU time limit is specified.
void	setMaxCPUTime(long limit)	Sets the maximum CPU time in milliseconds allowed for script execution.
void	setMaxMemory(long limit)	Sets the maximum memory in Bytes which JS executor thread can allocate.
void	setMaxPreparedStatements(int max)	The size of prepared statements LRU cache.
void	setScriptCache(SecuredJsCache cache)	Overwrites the cache for pre-processed javascript.
void	setWriter(Writer writer)	Sets the writer, when want to have output from writer function called in JS script

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

LOG

static final org.slf4j.Logger LOG

sandboxClassFilter

protected final SandboxClassFilter sandboxClassFilter

scriptEngine

protected final ScriptEngine scriptEngine

maxCPUTime

protected long maxCPUTime

Maximum CPU time in milliseconds.

maxMemory

protected long maxMemory

Maximum memory of executor thread used.

executor

protected ExecutorService executor

allowPrintFunctions

protected boolean allowPrintFunctions

allowReadFunctions

protected boolean allowReadFunctions

allowLoadFunctions

protected boolean allowLoadFunctions

allowExitFunctions

protected boolean allowExitFunctions

allowGlobalsObjects

protected boolean allowGlobalsObjects

allowNoBraces

protected boolean allowNoBraces

evaluator

protected JsEvaluator evaluator

sanitizer

protected JsSanitizer sanitizer

engineAsserted

protected AtomicBoolean engineAsserted

lazyInvocable

protected Invocable lazyInvocable

maxPreparedStatements

protected int maxPreparedStatements

The size of the LRU cache of prepared statements.

suppliedCache

protected SecuredJsCache suppliedCache

cached

protected Bindings cached

Constructor Details

NashornSandboxImpl

public NashornSandboxImpl()

NashornSandboxImpl

public NashornSandboxImpl(String... params)

NashornSandboxImpl

public NashornSandboxImpl(ScriptEngine engine,
 String... params)

Method Details

createSandboxClassFilter

private SandboxClassFilter createSandboxClassFilter()

createNashornScriptEngineFactory

public ScriptEngine createNashornScriptEngineFactory(String... params)

assertScriptEngine

private void assertScriptEngine()

engineBindingUnchanged

private boolean engineBindingUnchanged()

produceSecureBindings

private void produceSecureBindings()

resetEngineBindings

protected void resetEngineBindings()

sanitizeBindings

protected void sanitizeBindings(Bindings bindings)

eval

public Object eval(String js)
            throws ScriptCPUAbuseException,
ScriptException

Description copied from interface: NashornSandbox

Evaluates the JavaScript string.

Specified by:

eval in interface NashornSandbox

Parameters:

js - the JavaScript script to be evaluated

Throws:

ScriptCPUAbuseException - when execution time exceeded (when greater than 0 is set

ScriptException - when script syntax error occurs

See Also:

• NashornSandbox.setMaxCPUTime(long)

eval

public Object eval(String js,
 Bindings bindings)
            throws ScriptCPUAbuseException,
ScriptException

Description copied from interface: NashornSandbox

Evaluates the JavaScript string.

Specified by:

eval in interface NashornSandbox

Parameters:

js - the JavaScript script to be evaluated

bindings - the Bindings to use for evaluation

Throws:

ScriptCPUAbuseException - when execution time exceeded (when greater than 0 is set

ScriptException - when script syntax error occurs

See Also:

• NashornSandbox.setMaxCPUTime(long)

eval

public Object eval(String js,
 ScriptContext scriptContext)
            throws ScriptCPUAbuseException,
ScriptException

Description copied from interface: NashornSandbox

Evaluates the JavaScript string for a given script context

Specified by:

eval in interface NashornSandbox

Parameters:

js - the JavaScript script to be evaluated

scriptContext - the ScriptContext exposing sets of attributes in different scopes.

Throws:

ScriptCPUAbuseException - when execution time exceeded (when greater than 0 is set

ScriptException - when script syntax error occurs

See Also:

• NashornSandbox.setMaxCPUTime(long)

eval

public Object eval(String js,
 ScriptContext scriptContext,
 Bindings bindings)
            throws ScriptCPUAbuseException,
ScriptException

Description copied from interface: NashornSandbox

Evaluates the JavaScript string for a given script context

Specified by:

eval in interface NashornSandbox

Parameters:

js - the JavaScript script to be evaluated

scriptContext - the ScriptContext exposing sets of attributes in different scopes.

bindings - the Bindings to use for evaluation

Throws:

ScriptCPUAbuseException - when execution time exceeded (when greater than 0 is set

ScriptException - when script syntax error occurs

See Also:

• NashornSandbox.setMaxCPUTime(long)

secureBindings

protected Bindings secureBindings(Bindings bindings)

executeSandboxedOperation

protected Object executeSandboxedOperation(ScriptEngineOperation op)
                                    throws ScriptCPUAbuseException,
ScriptException

Throws:

ScriptCPUAbuseException

ScriptException

getEvaluator

private JsEvaluator getEvaluator(ScriptEngineOperation op)

checkExecutorPresence

private void checkExecutorPresence()

setMaxCPUTime

public void setMaxCPUTime(long limit)

Description copied from interface: NashornSandbox

Sets the maximum CPU time in milliseconds allowed for script execution.

Note, ExecutorService should be also set when time is set greater than 0.

Specified by:

setMaxCPUTime in interface NashornSandbox

Parameters:

limit - time limit in milliseconds

See Also:

• NashornSandbox.setExecutor(ExecutorService)

setMaxMemory

public void setMaxMemory(long limit)

Description copied from interface: NashornSandbox

Sets the maximum memory in Bytes which JS executor thread can allocate.

Note, thread memory usage is only approximation.

Note, ExecutorService should be also set when memory limit is set greater than 0. Nashorn takes some memory at start, be generous and give at least 1MB. If bindings are used, Nashorn allocates additional memory for the bindings which might be a multiple of the memory theoretically required by the data types used. For details, see issue 86.

Current implementation of this limit works only on Sun/Oracle JVM.

Specified by:

setMaxMemory in interface NashornSandbox

Parameters:

limit - limit in bytes

See Also:

• ThreadMXBean.getThreadAllocatedBytes(long)

getSanitizer

protected JsSanitizer getSanitizer()

allow

public void allow(Class<?> clazz)

Description copied from interface: NashornSandbox

Add a new class to the list of allowed classes.

Specified by:

allow in interface NashornSandbox

disallow

public void disallow(Class<?> clazz)

Description copied from interface: NashornSandbox

Remove a class from the list of allowed classes.

Specified by:

disallow in interface NashornSandbox

isAllowed

public boolean isAllowed(Class<?> clazz)

Description copied from interface: NashornSandbox

Check if a class is in the list of allowed classes.

Specified by:

isAllowed in interface NashornSandbox

disallowAllClasses

public void disallowAllClasses()

Description copied from interface: NashornSandbox

Remove all classes from the list of allowed classes.

Specified by:

disallowAllClasses in interface NashornSandbox

inject

public void inject(String variableName,
 Object object)

Description copied from interface: NashornSandbox

Will add a global variable available to all scripts executed with this sandbox.

Specified by:

inject in interface NashornSandbox

Parameters:

variableName - the name of the variable

object - the value, can be null

setExecutor

public void setExecutor(ExecutorService executor)

Description copied from interface: NashornSandbox

Specifies the executor service which is used to run scripts when a CPU time limit is specified.

Specified by:

setExecutor in interface NashornSandbox

Parameters:

executor - the executor service

See Also:

• NashornSandbox.setMaxCPUTime(long)

getExecutor

public ExecutorService getExecutor()

Description copied from interface: NashornSandbox

Gets the current executor service.

Specified by:

getExecutor in interface NashornSandbox

Returns:

current executor service

get

public Object get(String variableName)

Description copied from interface: NashornSandbox

Obtains the value of the specified JavaScript variable.

Specified by:

get in interface NashornSandbox

allowPrintFunctions

public void allowPrintFunctions(boolean v)

Description copied from interface: NashornSandbox

Allow Nashorn print and echo functions.

Only before first NashornSandbox.eval(String) call cause effect.

Specified by:

allowPrintFunctions in interface NashornSandbox

allowReadFunctions

public void allowReadFunctions(boolean v)

Description copied from interface: NashornSandbox

Allow Nashorn readLine and readFully functions.

Only before first NashornSandbox.eval(String) call cause effect.

Specified by:

allowReadFunctions in interface NashornSandbox

allowLoadFunctions

public void allowLoadFunctions(boolean v)

Description copied from interface: NashornSandbox

Allow Nashorn load and loadWithNewGlobal functions.

Only before first NashornSandbox.eval(String) call cause effect.

Specified by:

allowLoadFunctions in interface NashornSandbox

allowExitFunctions

public void allowExitFunctions(boolean v)

Description copied from interface: NashornSandbox

Allow Nashorn quit and exit functions.

Only before first NashornSandbox.eval(String) call cause effect.

Specified by:

allowExitFunctions in interface NashornSandbox

allowGlobalsObjects

public void allowGlobalsObjects(boolean v)

Description copied from interface: NashornSandbox

Allow Nashorn globals object $ARG, $ENV, $EXEC, $OPTIONS, $OUT, $ERR and $EXIT.

Only before first NashornSandbox.eval(String) call cause effect.

Specified by:

allowGlobalsObjects in interface NashornSandbox

allowNoBraces

public void allowNoBraces(boolean v)

Description copied from interface: NashornSandbox

Force, to check if all blocks are enclosed with curly braces "{}".

Warning This option is useful to identify potential abuse but is also prone to identify false positives. Please use with caution. Alternatively you can use setMaxCPUTime to prevent abusive script execution.

Explanation: all loops (for, do-while, while, and if-else, and functions should use braces, because poison_pill() function will be inserted after each open brace "{", to ensure interruption checking. Otherwise simple code like:

    while(true) while(true) {
      // do nothing
    }
  

or even:

    while(true)
  

cause unbreakable loop, which force this sandbox to use Thread.stop() which make JVM unstable.

Properly written code (even in bad intention) like:

    while(true) { while(true) {
      // do nothing
    }}
  

will be changed into:

    while(true) {poison_pill(); 
      while(true) {poison_pill();
        // do nothing
      }
    }
  

which finish nicely when interrupted.

For legacy code, this check can be turned off, but with no guarantee, the JS thread will gracefully finish when interrupted.

Specified by:

allowNoBraces in interface NashornSandbox

Parameters:

v - true when sandbox should check if all required braces are placed into JS code, false when no check should be performed

setWriter

public void setWriter(Writer writer)

Description copied from interface: NashornSandbox

Sets the writer, when want to have output from writer function called in JS script

Specified by:

setWriter in interface NashornSandbox

Parameters:

writer - the writer, eg. StringWriter

setMaxPreparedStatements

public void setMaxPreparedStatements(int max)

Description copied from interface: NashornSandbox

The size of prepared statements LRU cache. Default 0 (disabled).

Each statements when NashornSandbox.setMaxCPUTime(long) is set is prepared to quit itself when time exceeded. To execute only once this procedure per statement set this value.

When NashornSandbox.setMaxCPUTime(long) is set 0, this value is ignored.

Specified by:

setMaxPreparedStatements in interface NashornSandbox

Parameters:

max - the maximum number of statements in the LRU cache

createBindings

public Bindings createBindings()

Description copied from interface: NashornSandbox

Create new bindings used to replace the state of the current script engine

This can be typically used to override ECMAScript "global" properties

Specified by:

createBindings in interface NashornSandbox

Returns:

getSandboxedInvocable

public Invocable getSandboxedInvocable()

Description copied from interface: NashornSandbox

Returns an Invocable instance, so that method invocations are also sandboxed.

Specified by:

getSandboxedInvocable in interface NashornSandbox

Returns:

getLazySandboxedInvocable

private Invocable getLazySandboxedInvocable()

setScriptCache

public void setScriptCache(SecuredJsCache cache)

Description copied from interface: NashornSandbox

Overwrites the cache for pre-processed javascript. Must be called before the first invocation of NashornSandbox.eval(String) and its overloads.

Specified by:

setScriptCache in interface NashornSandbox

Parameters:

cache - the new cache to use

compile

public CompiledScript compile(String js)
                       throws ScriptException

Description copied from interface: NashornSandbox

Compile the JavaScript string

Specified by:

compile in interface NashornSandbox

Parameters:

js - the JavaScript script to be compiled

Returns:

a CompiledScript object

Throws:

ScriptException

eval

public Object eval(CompiledScript compiledScript)
            throws ScriptCPUAbuseException,
ScriptException

Description copied from interface: NashornSandbox

Run a pre-compiled JavaScript

Specified by:

eval in interface NashornSandbox

Throws:

ScriptCPUAbuseException

ScriptException

eval

public Object eval(CompiledScript compiledScript,
 Bindings bindings)
            throws ScriptCPUAbuseException,
ScriptException

Specified by:

eval in interface NashornSandbox

Throws:

ScriptCPUAbuseException

ScriptException

eval

public Object eval(CompiledScript compiledScript,
 ScriptContext scriptContext)
            throws ScriptCPUAbuseException,
ScriptException

Specified by:

eval in interface NashornSandbox

Throws:

ScriptCPUAbuseException

ScriptException

eval

public Object eval(CompiledScript compiledScript,
 ScriptContext scriptContext,
 Bindings bindings)
            throws ScriptCPUAbuseException,
ScriptException

Specified by:

eval in interface NashornSandbox

Throws:

ScriptCPUAbuseException

ScriptException