Reputation: 3529
Security Issue if Javascript evaluated by Java on the Server
If I evaluate a Javascript code submitted from the browser, on the server (Java webapp using Rhino Javascript Engine), does it pose security risk?
The Evaulation of the Javascript is being done only to know if its a valid Javascript.
I don't expect the evaluation to return me anything. I don't expect it store anything, or touch anything. All it should do is tell me is the user submitted valid javascript.
If it is something that poses security issues, can I take some steps to make sure that the JavaScript will not cause any harm to the system?
Upvotes: 0
Views: 179
Answers (1)
Reputation: 413976
Yes, it poses a security risk, because from JavaScript inside Rhino it's possible to access anything in the Java runtime, including (for example) all the java.io classes.
You can make sure that all your calls to Rhino operate under the jurisdiction of a SecurityManager that restricts basically everything. With the JDK's ScriptEngine code there's no built-in way to do that; I don't know about what tools are available for Rhino as used with the Mozilla hooks.
Upvotes: 1
Related Questions
- security considerations when using (end-user-defined) JavaScript code inside Java
- Rhino and concurrent access to javax.script.ScriptEngine
- Javascript security on a server
- Nashorn/jjs security: executing a user's script on server side
- Security concerns for jsRender inside node.js process
- Safely running javascript code in java
- How do I secure scripts run using javax.scripting?
- Security flaws : How to avert them?
- javascript executed from server side in java?
- Security Concerns on clientside (Javascript)