Running JS code on a server

Edmond Kemokai ekemokai at
Mon May 1 13:29:18 UTC 2017

Hi Eli,

This type of sandboxing is indeed a security minefield.

I have had some experience doing this for an embed JS engine (dynjs), you
can see the results here:

I doubt Nashorn has built-in support for the level of sandboxing you're
looking for...There are a bunch of options such as you mentioned with
limiting access to packages (don't forget getClass() from Java objects
:))...there are also JVM security manager type restrictions that you can
consider.. Some googling may provide additional options such as
containerization for system resource restrictions (CPU, memory, filesystem).

Anyway I can give you my dynjs code modifications if you're interested.


On May 1, 2017 8:56 AM, "Jim Laskey (Oracle)" <james.laskey at>

> From: Eliezer Julian <Eliezer.Julian at <mailto:Eliezer.Julian@
> Subject: Running JS code on a server
> Date: May 1, 2017 at 6:28:05 AM ADT
> To: "nashorn-dev at <mailto:nashorn-dev at>" <
> nashorn-dev at <mailto:nashorn-dev at>>
> Cc: Elior Apelbaum <Elior.Apelbaum at <mailto:Elior.Apelbaum@
>>>, Moshe Robinov <Moshe.Robinov at <mailto:
> Moshe.Robinov at>>, Chen Malka <chen.malka at <mailto:
> chen.malka at>>
> Hi,
> I am developing a server side application and would like to add a feature
> that allows a user to submit JS code to be executed via Nashorn. My concern
> is that a user may submit malicious code that may compromise the server. I
> have already limited the script’s access to the bare minimum of Java
> classes, and have implemented a mechanize to kill the script if execution
> time runs over a certain limit. I have also manually removed many of the
> special methods such as print, echo, exit and quit from the Bindings
> object. However, this is extremely limited in scope compared to the damage
> a willfully malicious user may be able to effect via this feature (such as
> allocating too much memory, try to access the file system via the script,
> etc.). I was wondering if the Nashorn development team had any
> recommendations as far as security is concerned, and whether there are any
> plans to add additional security features in the future.
> Thanks,
> Eli Julian
> Software Developer
> Decision Division
> Email: eliezer.julian at <mailto:eliezer.julian at>
> Office: +972-3-7902155
> Mobile: +972-50-3697238
> Skype handle: eli_julian
> Visit us at: <>

More information about the nashorn-dev mailing list