0

If I evaluate a Javascript code submitted from the browser, on the server (Java webapp using Rhino Javascript Engine), does it pose security risk?

The Evaulation of the Javascript is being done only to know if its a valid Javascript.

I don't expect the evaluation to return me anything. I don't expect it store anything, or touch anything. All it should do is tell me is the user submitted valid javascript.

If it is something that poses security issues, can I take some steps to make sure that the JavaScript will not cause any harm to the system?

Improve this question
2
  • Valid JavaScript can be used to harm systems; it is up to you to define what is harmful and what is not. I think you need to re-think your security model here. Posting more information about what you intend to protect or what you intend to prevent will help. Commented May 18, 2011 at 21:44
  • If you just want to make sure that the enteredd javascript is valid, then you only need to compile it right ? Commented May 18, 2011 at 21:47

1 Answer 1

Reset to default
1

Yes, it poses a security risk, because from JavaScript inside Rhino it's possible to access anything in the Java runtime, including (for example) all the java.io classes.

You can make sure that all your calls to Rhino operate under the jurisdiction of a SecurityManager that restricts basically everything. With the JDK's ScriptEngine code there's no built-in way to do that; I don't know about what tools are available for Rhino as used with the Mozilla hooks.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

The JDK version of Rhino should restrict what the script can do to the permissions available when the script was started. However, it will by default have access to your application code, which generally wont be secure.
Right, that's what I mean - it's pretty common for something like a web server to be running without a restrictive security manager, and even if there is one, it's probably more permissive than what you'd like to hand over to any random script posted to a public URL :-)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.