nashorn security

Nate Kidwell nate at
Tue Mar 25 18:38:45 UTC 2014


1) Since people probably are going to be running a variety of
dynamically-generated code within nashorn, what is done to allow the
javascript code to be sandboxed?

2) Is something like

    engine.put("java", null);

    engine.put("Java", null);

    engine.put("Packages", null);


sufficiently secure sandboxing if it is run before a engine.eval(...).  Or
at least if all the bindings are wiped out, would THAT then be sufficient

3) Is there any other way to reach outside of the nashorn environment, even
if sandboxed?  For example are there properties available on any javascript
objects (or java objects that are passed in) that would allow the dynamic
execution of code on the java side of things.



More information about the nashorn-dev mailing list