Hi Tobias,
How do you terminate a thread? The only way to terminate a Thread from outside
is
Thread.stop, which is very dangerous. Thread.interrupt will only stop de thread
if that
thread supports interrupting. A simple 'while(true);' will not terminate. Even
if you manage
to terminate a script in a few seconds, this will not help against a script
like:
var i = 0, o = {};
while(true) {
o[i++] = new Array(1000000);
}
Don't understand me wrong, a resource like this can be useful in some
situations, but you
realy have to make sure it is not exposed to the user, or you will have to deal
with rogue
scripts.
Best regards,
Emond
On Thursday, January 07, 2016 10:25:30 AM Tobias Soloschenko wrote:
> Hi Emond,
>
> I already implemented a thread pool which terminates long running scripts. I
> am going to submit it this evening.
>
> Good hint with the class filter - I am going to have a look at it. Thanks!
>
> kind regards
>
> Tobias
>
> > Am 07.01.2016 um 08:24 schrieb Emond Papegaaij
> > <[email protected]>:
> >
> > Hi Tobias,
> >
> > This is a very nice feature indeed, but be very carefull when exposing
> > server-side code to a client. What would happen if some user would post
> > 'Java.type("java.lang.System").exit(0)'? A service like this must always
> > be protected via some sort of whitelist filter. The Java Scripting API
> > has support for ClassFilter, which can be used for this.
> >
> > Another problem is a DoS attack. A user could post several non-terminating
> > scripts, eating all available processing threads or claim insane ammounts
> > of memory. These types of attacks are much harder to protect against.
> > Some scripting engines allow inserting custom code before and/or after
> > every statement. This could used to protect against non- terminating
> > scripts. However, preventing OutOfMemory is very difficult (if not
> > impossible). There are simply too many ways memory can be claimed and no
> > way of checking the ammount used.
> >
> > Best regards,
> > Emond Papegaaij
> >
> >> On Wednesday, January 06, 2016 06:40:53 PM Tobias Soloschenko wrote:
> >> Hi guys,
> >>
> >> I am currently playing around a bit with the nashorn implementation of
> >> Java 8.
> >>
> >> I just implemented a ResourceReference to show up cool features. :-)
> >>
> >> Features:
> >> * Post javascript against the resource reference which is executed on
> >> server side and optional enriched with user scoped objects that can be
> >> accessed (read / write)
> >> * Access to user objects can be setup in the corresponding method
