How to remove java apis from Nashorn-engine?

Question

Is it possible to hide or remove java api\'s from nashorn-engine? So that it could only see or use \"default\" ECMAScript 262 Edition 5.1 with some especially exposed functi

Answer 1

OK, here is sample class with some limiting arguments:

package com.pasuna;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.Random;
import javax.script.Invocable;
import javax.script.ScriptEngine;
import javax.script.ScriptException;
import jdk.nashorn.api.scripting.NashornScriptEngineFactory;

public class ScriptTest {

    public static class Logger {
        public void log(String message) {
            System.out.println(message);
        }
    }

    public static class Dice {
        private Random random = new Random();
        public int D6() {
            return random.nextInt(6) + 1;
        }
    }

    public static void main(String[] args) {
        NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
        ScriptEngine engine = factory.getScriptEngine(new String[]{"-strict", "--no-java", "--no-syntax-extensions"});
        //note final, does not work.
        final Dice dice = new Dice();
        final Logger logger = new Logger();
        engine.put("dice", dice);
        engine.put("log", logger);
        engine.put("hello", "world");
        try {

            engine.eval("log.log(hello);");
            engine.eval("log.log(Object.keys(this));");

            engine.eval("log.log(dice.D6());"
                    + "log.log(dice.D6());"
                    + "log.log(dice.D6());");

            engine.eval("log.log(Object.keys(this));");
            engine.eval("Coffee"); //boom as should
            engine.eval("Java"); //erm? shoud boom?
            engine.eval("log = 1;"); //override final, boom, nope
            engine.eval("log.log(hello);"); //boom
        } catch (final ScriptException ex) {
            ex.printStackTrace();
        }
        BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
        String input = "";
        do {
            try {
                input = br.readLine();
                engine.eval(input);
            } catch (final ScriptException | IOException se) {
                se.printStackTrace();
            }
        } while (!input.trim().equals("quit"));

        try {
            engine.eval("var add = function(first, second){return first + second;};");
            Invocable invocable = (Invocable) engine;
            Object result = invocable.invokeFunction("add", 1, 2);
            System.out.println(result);

        } catch (final NoSuchMethodException | ScriptException se) {
            se.printStackTrace();
        }
        Object l = engine.get("log");
        System.out.println(l == logger);
    }
}

more info about flags can be found from here: http://hg.openjdk.java.net/jdk8/jdk8/nashorn/rev/eb7b8340ce3a

(imho atm the nashorn documentation is poor)

Answer 2

You can specify any jjs option for script engines via -Dnashorn.args option when you launch your java program. For example:

java -Dnashorn.args=--no-java Main

where Main uses javax.script API with nashorn engine.

Answer 3

--no-java is the main flag to turn off java extensions. --no-syntax-extensions turns off non-standard extensions.

Answer 4

You can run "jjs" tool with --no-java option to prevent any explicit Java package/class access from scripts. That said Nashorn platform is secure and uses Java standard URL codebase based security model ('eval'-ed script without known URL origin is treated like untrusted, unsigned code and so gets only sandbox permissions.

Answer 5

Programmatically, you can also directly use the NashornScriptEngineFactory class which has an appropriate getScriptEngine() method:

import jdk.nashorn.api.scripting.NashornScriptEngineFactory;
...
NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
...
ScriptEngine engine = factory.getScriptEngine("-strict", "--no-java", "--no-syntax-extensions");