如何保护使用 javax.scripting 运行的脚本?

发布于 2024-08-03 04:22:52 字数 418 浏览 15 评论 0原文

我正在使用 javax.scripting 添加对在服务器端运行任意用户上传的 JavaScript 的支持。显然我想保护这些脚本!

Rhino 本身有一个用于在运行时保护脚本的框架。但是,javax.scripting 的文档没有提及脚本可用的安全性、权限或限制类。那么,这是否只是 javax.scripting API 中的一个巨大漏洞,它没有提供一个框架来保护其执行的脚本?

我不想直接使用 Rhino,因为我最初尝试过,但在将 Java 实例暴露给正在运行的脚本时遇到了一些问题。 javax.scripting 框架(它在底层使用了 Rhino)使这个过程变得简单,并且还简化了在多线程服务器中运行脚本。

我想将可以在运行脚本中访问/实例化的 Java 类列入白名单。谁能指出我如何实现这一目标的示例或文档?

I am using javax.scripting to add support for running arbitrary user-uploaded JavaScripts on the server-side. Obviously I want to secure those scripts!

Rhino, on it's own, has a framework for securing scripts at runtime. The documentation for javax.scripting, however, doesn't mention security, permissions or restricting classes available to the script. So is this just a huge hole in the javax.scripting API that it doesn't offer a framework to secure scripts it executes?

I don't want to use Rhino directly because I originally tried that but had some problems exposing Java instances to the running script. The javax.scripting framework made it (which uses Rhino under the hood) made this trivial and also simplified running scripts in a multi-threaded server.

I would like to white-list Java classes that can be accessed/instantiated within the running script. Can anyone point me to an example or documentation on how to achieve this?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

嗫嚅 2024-08-10 04:22:52

事实证明,javax.scripting 不提供安全框架。经过一番搜索后,我在 Google 的缓存中发现了一个文档,建议尝试使用 Java 的 doPrivilegedAction 框架,但经过一些实验,我无法阻止脚本打开套接字或访问文件系统。

在我问这个问题后,我发现以前在 StackOverflow 上曾问过这个问题: 如何在沙箱中使用 Rhino for Java 运行 Javascript? 在该页面上,它错误地表明 JDK6 中包含的 Rhino 已经解决了安全问题。正如我所指出的,我能够从脚本中打开套接字和其他有害操作。

最终我放弃了javax.scripting,直接嵌入Rhino。通过构建一个同时也是 ClassShutter 的自定义 ContextFactory,我能够轻松实现两个结果:

  1. 将脚本执行时间限制在最大时间限制内
  2. 将类访问限制为我所拥有的类-listed,它基本上是 java.lang.* 和我的服务器层次结构中选定的几个类。

CodeUtopia(我无法链接到它,因为作为一个新用户,我不允许在单个帖子中链接到多个页面;但它在其他 StackOverflow 帖子中链接到)对于描述 ClassShutterClassShutter< /code> 架构和 Rhino 自己的 ContextFactory API 页面描述了如何构建自定义 ContextFactory

It turns out that javax.scripting does not offer a security framework. After some searching I found a document in Google's cache that suggested trying to use Java's doPrivilegedAction framework but after some experimentation, I was unable to get this to prevent the scripts from opening sockets or accessing the filesystem.

After I asked this question I discovered it was previously asked here on StackOverflow: How can you run Javascript using Rhino for Java in a sandbox? On that page, it falsely indicates that the Rhino included in the JDK6 has security worked out already. As I indicated, I was able to open sockets and other harmful actions from the script.

In the end I abandoned javax.scripting and embedded Rhino directly. By building a custom ContextFactory that is also a ClassShutter I was able to achieve two results easily:

  1. Restricts script execution time to a maximum time limit
  2. Restricts class access to those I have white-listed, which is basically java.lang.* and a select few classes in my server's hierarchy.

CodeUtopia (which I can't link to because, as a new user, I'm not allowed to link to multiple pages in a single post; but it's linked in the other StackOverflow post) was valuable in describing the ClassShutter architecture and Rhino's own ContextFactory API page describes how to build a custom ContextFactory.

我为君王 2024-08-10 04:22:52

http://codeutopia.net/blog/2009/01 /02/sandboxing-rhino-in-java/ 描述了一种沙箱 rhino 的方法,javax.scripting 使用 Rhino 作为 JS 脚本引擎,因此您应该能够使用上面的内容,尽管包名称可能有所不同。

我一直在开发一个 Java 应用程序
需要 Rhino 来编写脚本。该应用程序
需要运行不受信任的 JavaScript
来自第三方的代码,所以我不得不
找到一种方法来阻止对所有 Java 的访问
方法,除了我想要的方法。
如果有的话这不是问题
是禁用 LiveConnect 的简单方法
- Rhino 的功能提供了对脚本的 java 访问 - 但有
没有这样的事情。

然而,经过大量挖掘
周围,​​我终于找到了办法
这不需要太多的黑客攻击。在
事实上,只需扩展即可完成
一些 Rhino 类,并使用
提供的设置器可以覆盖一些
默认的。

http://codeutopia.net/blog/2009/01/02/sandboxing-rhino-in-java/ describes a way to sandbox rhino, and javax.scripting uses Rhino as the JS script engine so you should be able to use the above, though the package names might differ.

I’ve been working on a Java app which
needed Rhino for scripting. The app
would need to run untrusted JavaScript
code from 3rd parties, so I had to
find a way to block access to all Java
methods, except the ones I wanted.
This would not be a problem if there
was an easy way to disable LiveConnect
- the feature of Rhino which provides java access to scripts - but there is
no such thing.

However, after a lot of digging
around, I finally found a way to do
this without too much hacking. In
fact, it can be done by just extending
a few of the Rhino classes, and using
the setters provided to override some
of the default ones.

动听の歌 2024-08-10 04:22:52

仅供参考,现在可以在 javax.scripting 的新 Java 8 实现中实现这一点,该实现使用名为 Nashorn 的新引擎。请参阅安全 Nashorn JS 执行

FYI, this is now possible in the new Java 8 implementation of javax.scripting which uses a new engine called Nashorn. See Secure Nashorn JS Execution

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文