You can ask for a callback every N "instructions" and stop
infinite loops in JS. You have to be careful which Java
libraries you allow access to though, some of them may
contain DoS issues. A supervisor thread could watch for
sneakier runaway user threads and kill them, but Rhino
has no built-in support for this.
Stopping memory DoS is thornier. For Acre we have a patch to
OpenJDK that enforces a per-thread memory allocation limit.
Since we don't allow untrusted code to create threads this
gets the job done. We'd be very happy to have more people
using the patch, but it does require compiling your own JVM.
nick
ian wrote:
> Hi, I'm interested in using Rhino to run untrusted code but I'm
> curious as to how to prevent this code from doing evil things, in
> particular stuff like busy-wait loops to do a CPU DoS, or
> alternatively a memory-DoS.
>
> Is this possible with Rhino?
>
> Regards,
>
_______________________________________________
dev-tech-js-engine-rhino mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino
