The question is published on by Tutorial Guruji team.
Does anyone know of any scripting for the Java platform that can be forcefully restricted to a provided function set (preferably absolutely no functions unless provided)? I’ve experimented with several JSR223 compatible languages, but have been able to compromise security in all cases.
What my system currently does:
- Load the requested script from the filesystem.
- Create a context to run the script with
- Run the script in the new context
Even if a security manager is properly configured, what would stop malicious script content from accessing (or worse — mutating) fields from objects that it otherwise shouldn’t have access to? This could potentially cause a bit of damage if a mistake is made or if a script is intentionally tailored for malicious behavior.
I guess that I’ll get this up and try to break it. Perhaps it’ll stand up to the test.