/delight-graaljs-sandbox

A sandbox for executing JavaScript with Graal in Java

Primary LanguageJava

Graal Sandbox

A secure sandbox for executing JavaScript in Java apps using the Graal JS engine.

Also see Nashorn Sandbox and Rhino Sandbox.

Part of the Java Delight Suite.

Usage

The sandbox by default blocks access to all Java classes.

Classes, which should be used in JavaScript, must be explicitly allowed.

GraalSandbox sandbox = GraalSandboxes.create();
     
sandbox.allow(File.class);
     
sandbox.eval("var File = Java.type('java.io.File'); File;")

Or you can inject your Java object as a JS global variable

GraalSandboxes sandbox = GraalSandboxes.create();

sandbox.inject("fromJava", new Object());

sandbox.eval("fromJava.getClass();");

The sandbox also allows limiting the CPU time and memory usage of scripts. This allows terminating scripts which contain infinite loops and other problematic code.

GraalSandbox sandbox = GraalSandboxes.create();
     
sandbox.setMaxCPUTime(100);
sandbox.setMaxMemory(500*1024);
sandbox.allowNoBraces(false);
sandbox.setMaxPreparedStatements(30); // because preparing scripts for execution is expensive
sandbox.setExecutor(Executors.newSingleThreadExecutor());
     
sandbox.eval("var o={}, i=0; while (true) {o[i++]='abc';};");

This code will raise a ScriptCPUAbuseException.

The sandbox beautifies the JavaScript code for this and injects additional statements into the submitted code. It is thus possible that the original line numbers from the submitted JS code are not preserved. To debug the code, which is generated by the sandbox, activate its debug mode as follows using log4j.properties file:

log4j.logger.delight.graaljssandbox.internal.GraalSandboxImpl=DEBUG

This will output the generated JS on the console as follows:

--- Running JS ---
var \__it = Java.type('delight.graaljssandbox.internal.InterruptTest');var \__if=function(){\__it.test();};
while(true) {__if();
  i = i+1;
}
--- JS END ---

Maven

Just add the following dependency to your projects.

<dependency>
    <groupId>org.javadelight</groupId>
    <artifactId>delight-graaljs-sandbox</artifactId>
    <version>[insert latest version]</version>
</dependency>

This artifact is available on Maven Central and BinTray.

Maven Central

Project Background

This project is based on a PR in the Nashorn Sandbox project by Marco Ellwanger. The Graal JS sandbox has been extracted from the Nashorn Sandbox repository to provide projects with a dedicated module to use if Graal JS sandbox capabilities are required.

Contributors

Marco Ellwanger: Initial support for GraalJS engine by implementing sandbox implementation backed by GraalJS.

Version History