Hi Emond, ok, then I would let the NRR as it is, now.
Maybe there will be a way to improve it in the future. kind regards Tobias > Am 08.01.2016 um 09:08 schrieb Emond Papegaaij <emond.papega...@topicus.nl>: > > Hi Tobias, > > Unfortunately, even Thread.stop is not fool-proof. For example, if you try > this script, it will > not terminate: > > var x = 0; > while (true) { > try { > x++; > } catch (e) { > } > } > > The problem in this case is that Thread.stop causes a ThreadDeath to be > thrown inside the > thread. This Error is caught by the catch-statement, ignored and the script > will keep > running. > > I don't think there is a way to protect against all kinds of mallicious > scripts. There are > simply too many ways to break a running VM. To be able to run scripts from > untrusted > sources, you will have to run these scripts in some kind of sandbox. You > could, for example, > spawn a new VM with limited resources. > > In one of our applications, users are able to write scripts in Groovy, which > are used to > generate reports. We use a very strict class and method whitelist, to prevent > scripts from > breaking out of its environment. We also inject code in all loops to abort a > script when > needed. However, this still does not protect us against things like claiming > large amounts > or memory. Also, a script can still catch the Exception we use to abort it > and continue > running. We simply have to trust our users to not write scripts that would > harm our server. > Therefore, we only allow a select group of users to write scripts and we can > always see > who wrote it. > > Best regards, > Emond > >> On Thursday, January 07, 2016 07:57:36 PM Tobias Soloschenko wrote: >> Hi Emond, >> >> ok the last thing left is the memory consumption. Hope that I am able to >> find a way to make this also save. >> >> Any suggestions here? >> >> kind regards >> >> Tobias >> >>> Am 07.01.16 um 15:43 schrieb Emond Papegaaij: >>> Hi Tobias, >>> >>> You have to modify the code with the snippet below. This will wait for >>> termination with a timeout of 1 minute, after which the VM still >>> terminates. However, in a normal webapplication, the VM will not >>> terminate, so threads will stay active until you terminate your entire >>> application. >>> >>> The code to trigger an out-of-memory is: >>> >>> var i = 0, o = {}; >>> while(true) { >>> >>> o[i++] = new Array(1000000); >>> >>> } >>> >>> Also, you can try to run the same testcase multiple times in 1 go. After >>> about 100 executions of the script, I suspect your system will start to >>> die on you.