Hi Eliezer, It's not Nashorn, but last year I wrote a deterministic execution framework based on a custom rewriting classloader and some runtime support.
There's an article I wrote about it here: https://www.infoq.com/articles/Deterministic-Execution-JVM and the code is available here: https://github.com/corda/corda/tree/master/experimental/sandbox If you wanted to take a look & see if it meets your needs, I'd be happy to help you (but we should probably discuss directly, as it's not really Nashorn-relevant). Thanks, Ben On Mon, May 1, 2017 at 1:55 PM, Jim Laskey (Oracle) <[email protected]> wrote: > From: Eliezer Julian <[email protected] > <mailto:[email protected]>> > Subject: Running JS code on a server > Date: May 1, 2017 at 6:28:05 AM ADT > To: "[email protected] <mailto:[email protected]>" > <[email protected] <mailto:[email protected]>> > Cc: Elior Apelbaum <[email protected] > <mailto:[email protected]>>, Moshe Robinov > <[email protected] <mailto:[email protected]>>, Chen Malka > <[email protected] <mailto:[email protected]>> > > > Hi, > > I am developing a server side application and would like to add a feature > that allows a user to submit JS code to be executed via Nashorn. My concern > is that a user may submit malicious code that may compromise the server. I > have already limited the script’s access to the bare minimum of Java classes, > and have implemented a mechanize to kill the script if execution time runs > over a certain limit. I have also manually removed many of the special > methods such as print, echo, exit and quit from the Bindings object. However, > this is extremely limited in scope compared to the damage a willfully > malicious user may be able to effect via this feature (such as allocating too > much memory, try to access the file system via the script, etc.). I was > wondering if the Nashorn development team had any recommendations as far as > security is concerned, and whether there are any plans to add additional > security features in the future. > > Thanks, > > Eli Julian > Software Developer > Decision Division > > Email: [email protected] <mailto:[email protected]> > Office: +972-3-7902155 > Mobile: +972-50-3697238 > Skype handle: eli_julian > Visit us at: www.sapiens.com <http://www.sapiens.com/>
