Hi Eliezer, It's not Nashorn, but last year I wrote a deterministic execution framework based on a custom rewriting classloader and some runtime support.
There's an article I wrote about it here: https://www.infoq.com/articles/Deterministic-Execution-JVM and the code is available here: https://github.com/corda/corda/tree/master/experimental/sandbox If you wanted to take a look & see if it meets your needs, I'd be happy to help you (but we should probably discuss directly, as it's not really Nashorn-relevant). Thanks, Ben On Mon, May 1, 2017 at 1:55 PM, Jim Laskey (Oracle) <james.las...@oracle.com> wrote: > From: Eliezer Julian <eliezer.jul...@sapiens.com > <mailto:eliezer.jul...@sapiens.com>> > Subject: Running JS code on a server > Date: May 1, 2017 at 6:28:05 AM ADT > To: "nashorn-dev@openjdk.java.net <mailto:nashorn-dev@openjdk.java.net>" > <nashorn-dev@openjdk.java.net <mailto:nashorn-dev@openjdk.java.net>> > Cc: Elior Apelbaum <elior.apelb...@sapiens.com > <mailto:elior.apelb...@sapiens.com>>, Moshe Robinov > <moshe.robi...@sapiens.com <mailto:moshe.robi...@sapiens.com>>, Chen Malka > <chen.ma...@sapiens.com <mailto:chen.ma...@sapiens.com>> > > > Hi, > > I am developing a server side application and would like to add a feature > that allows a user to submit JS code to be executed via Nashorn. My concern > is that a user may submit malicious code that may compromise the server. I > have already limited the script’s access to the bare minimum of Java classes, > and have implemented a mechanize to kill the script if execution time runs > over a certain limit. I have also manually removed many of the special > methods such as print, echo, exit and quit from the Bindings object. However, > this is extremely limited in scope compared to the damage a willfully > malicious user may be able to effect via this feature (such as allocating too > much memory, try to access the file system via the script, etc.). I was > wondering if the Nashorn development team had any recommendations as far as > security is concerned, and whether there are any plans to add additional > security features in the future. > > Thanks, > > Eli Julian > Software Developer > Decision Division > > Email: eliezer.jul...@sapiens.com <mailto:eliezer.jul...@sapiens.com> > Office: +972-3-7902155 > Mobile: +972-50-3697238 > Skype handle: eli_julian > Visit us at: www.sapiens.com <http://www.sapiens.com/>
