Secure Nashorn JS Execution

Question

How can I securely execute some user supplied JS code using Java8 Nashorn?

The script extends some computations for some servlet based reports. The app has many diff

Answer 1

So far as I can tell, you can't sandbox Nashorn. An untrusted user can execute the "Additional Nashorn Built-In Functions" listed here:

https://docs.oracle.com/javase/8/docs/technotes/guides/scripting/nashorn/shell.html

which include "quit()". I tested it; it exits the JVM entirely.

(As an aside, in my setup the global objects, $ENV, $ARG, did not work, which is good.)

If I'm wrong about this, someone please leave a comment.