Forum Stats

  • 3,826,761 Users
  • 2,260,705 Discussions
  • 7,897,072 Comments

Discussions

Nashorn Security

2639239
2639239 Member Posts: 1
edited Mar 25, 2014 1:45PM in Java 8 Questions

Greets-

1) Since people probably are going to be running a variety of dynamically-generated code within nashorn, what is done to allow the javascript code to be sandboxed?

2) Is something like

    nashorn.put("java", null);

    nashorn.put("Java", null);

    nashorn.put("Packages", null);

sufficiently secure sandboxing if it is run before a nashorn.eval(...).  Or at least if all the bindings are wiped out, would THAT then be sufficient security.

3) Is there any other way to reach outside of the nashorn environment, even if sandboxed?  For example are there properties available on any javascript objects (or java objects that are passed in) that would allow the dynamic execution of code on the java side of things.

Thanks,

Nate