Running JS code on a server

G W grwongku at
Mon May 1 15:18:02 UTC 2017

Have you tried implementing jdk.nashorn.api.scripting.ClassFilter to limit
Class access. Also for resource access, you need to to create wrappers.
e.g. for File access:
function File(f){
this.file = f;
this.delete = function(){
return this;
this.create = function(dr){
return this;
} = function(){
this.exists = function(){
return org.sprnkl.server.js.SprnklFile.exists(jsrequestobj,this.file);
this.length = function(){
this.list = function(){
return org.sprnkl.server.js.SprnklFile.list(jsrequestobj,this.file);
this.isDirectory = function(){
return org.sprnkl.server.js.SprnklFile.isDirectory(jsrequestobj,this.file);
this.readString = function(){
var rb =;
var rb2 = [];
for (var ct = 0;ct < rb.length;ct++){
return String.fromCharCode.apply(String, rb2);
this.write = function(b,dr){
if (dr == undefined) dr = true;

return this;
this.writeString = function(s,dr){
return this.write(s.getBytes(),dr);

I have a Framework that is  a work in process. Would be happy to share the
code if interested.

On Mon, May 1, 2017 at 8:55 AM, Jim Laskey (Oracle) <james.laskey at
> wrote:

> From: Eliezer Julian <Eliezer.Julian at <mailto:Eliezer.Julian@
> Subject: Running JS code on a server
> Date: May 1, 2017 at 6:28:05 AM ADT
> To: "nashorn-dev at <mailto:nashorn-dev at>" <
> nashorn-dev at <mailto:nashorn-dev at>>
> Cc: Elior Apelbaum <Elior.Apelbaum at <mailto:Elior.Apelbaum@
>>>, Moshe Robinov <Moshe.Robinov at <mailto:
> Moshe.Robinov at>>, Chen Malka <chen.malka at <mailto:
> chen.malka at>>
> Hi,
> I am developing a server side application and would like to add a feature
> that allows a user to submit JS code to be executed via Nashorn. My concern
> is that a user may submit malicious code that may compromise the server. I
> have already limited the script’s access to the bare minimum of Java
> classes, and have implemented a mechanize to kill the script if execution
> time runs over a certain limit. I have also manually removed many of the
> special methods such as print, echo, exit and quit from the Bindings
> object. However, this is extremely limited in scope compared to the damage
> a willfully malicious user may be able to effect via this feature (such as
> allocating too much memory, try to access the file system via the script,
> etc.). I was wondering if the Nashorn development team had any
> recommendations as far as security is concerned, and whether there are any
> plans to add additional security features in the future.
> Thanks,
> Eli Julian
> Software Developer
> Decision Division
> Email: eliezer.julian at <mailto:eliezer.julian at>
> Office: +972-3-7902155
> Mobile: +972-50-3697238
> Skype handle: eli_julian
> Visit us at: <>

More information about the nashorn-dev mailing list