my dog learned polymorphism*
The moose likes Other Languages and the fly likes Extending application with scripted Java Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Languages » Other Languages
Bookmark "Extending application with scripted Java" Watch "Extending application with scripted Java" New topic
Author

Extending application with scripted Java

Uma Rk
Greenhorn

Joined: Dec 11, 2006
Posts: 3
I am developing an enterprise-class application in which
users could specify an action to be executed in response
to specific events.

I would like to allow users to be able to script the response
as a groovy script. While this seems an appropriate
application of groovy, my concern is about security:
how can I prevent a malicious user from subverting the application's
JVM using a suitable groovy script?

Could I install a security manager which can detect operations
initiated from a groovy script (as opposed to those initiated
from the main application)?

Thanks,

/U
S Davis
Author
Ranch Hand

Joined: Feb 07, 2006
Posts: 40
GULP! Allowing executable code from an end-user -- in Java, Groovy, or any other language -- is an exercise for someone (anyone!) braver than me. I'm going to ask all hackers to avert their eyes for a moment.



Groovy allows you to wrap anything that you'd normally type at the command line in quotes and call .execute() on it. It's a convenience method that creates a java.lang.Process behind the scenes.

I'd find ANY OTHER POSSIBLE WAY to do what you are trying to accomplish before I'd let someone submit code to my system without my prior knowledge. The only way I'd even vaguely consider doing something like that is writing a DSL (Domain Specific Language) that had such a bone-simple syntax that I could scan it for bad things, but even then I wouldn't sleep very well at night... Those hackers are a smart, tenacious bunch, and have waaay more time than I do to think of nefarious ways to abuse innocent systems.
Jim Yingst
Wanderer
Sheriff

Joined: Jan 30, 2000
Posts: 18671
Well, since Groovy runs in a JVM, I'd think it could use the JVM's SecurityManager same as any Java program. So we could use a SecurityManager set with the same permissions that are used for, say, any untrusted applet found on the web. This would disallow file access, and Runtime.exec(), and various other things I don't know about. That should block any access to Groovy's execute() method, which doubtless uses Runtime.exec() internally.) Then you could use GroovyShell.evaluate() or Eval.me() methods to evaluate some string the user passed in and obtain a result. Should be as safe as running a web browser with Java enabled, no?

A problem with this approach as described is that we may well want access to the file system or Runtime.exec() (or Groovy's execute()) ourselves. So we'd want one security manager for our own program, and another for evaluating stuff from users. This would seem to require two different JVMs, since a single JVM can only have one security manager at a time (as I understand it). I suppose you could use Runtime.exec() to start a second JVM with a more restrictive set of permissions, as a Process. Then pass it the user's script using Process.getInputStream(), and obtain the result using PRocess.getOutputStream(). With a bit of care, you could probably set this up so you only have to start the second JVM once, then keep it running indefninitely while you pass it a series of commands, and get a series of responses. Perhaps wrap these with some simple XML, or use object serialization, so that you have an easy way to tell when one response is completed and the next begins.


"I'm not back." - Bill Harding, Twister
Alaa Nassef
Ranch Hand

Joined: Jan 28, 2008
Posts: 460
Jim, I really love that solution. However, as Scott had put it, even with this brilliant secure solution, I will still not be able to sleep well at night


Visit my blog: http://jnassef.blogspot.com/
Jim Yingst
Wanderer
Sheriff

Joined: Jan 30, 2000
Posts: 18671
Well, one out of two isn't bad, I guess.
Alaa Nassef
Ranch Hand

Joined: Jan 28, 2008
Posts: 460
Well, maybe Uma will be able to sleep at night with that solution, so you would have gotten a two out of two, which is great. Frankly, I cannot imagine myself giving the users the ability to enter their code into the system. I believe that your solution is the best that can be done, and I believe that if configured correctly, it'll be very secure. But if I do it, I believe that I'll be getting a lot of nightmares about what I might have forgotten, and what users may do to the system. OUCH!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Extending application with scripted Java
 
Similar Threads
reg audioclip
war file not deploying properly
Read file from jar file using groovy script
Closing the Opening Window From a Popup
Groovy vs JavaFX