Replace Nashorn

[cbellone]

Introduction

Alf.io has an Extension engine, which allows organizers to hook additional logic to defined events, and therefore integrate the ticket selling process to their existing infrastructure. One example of this is the integration with a CRM tool: upon confirmation of a reservation, the organizers want to insert/update the contact data of their attendees, in order to send them mailing lists and so on.

At the moment Alf.io uses the Nashorn engine to do this, so extensions must be written in JavaScript. Pros:

• JavaScript is widely adopted, so it should be easier for people to write their own extensions

Cons:

• Code cannot run in a sandboxed environment, so Extensions configuration is only allowed if done by the instance admin
• Calling a Java API from JavaScript code is quite difficult
• Nashorn engine has been deprecated for removal from Java 11, and has been removed in Java 15

We are evaluating the Rhino (https://github.com/mozilla/rhino) javascript engine as a possible replacement.

As a condition for letting an arbitrary user implement his own scripts, we need to ensure that:

1. they can call only an “allow-list” of methods
2. execution time must be bounded
3. The task consists of evaluating and implementing the sandboxed environment.

Subtasks

Evaluate current availability of a java embeddable Javascript engine.

Proposals:

• [ ] Rhino (as per our initial evaluation, https://github.com/mozilla/rhino )
• [ ] Graal (https://github.com/oracle/graal/ )
• [ ] others (?)

Evaluate alternative replacement

As another option, evaluate the possibility to define a small subset of an existing language, implement the parser and runtime (e.g. like micropython, where they have re-implemented the python language and runtime for their specific requirements).

General Criteria for the evaluation

• How much footprint does it have? (consider that the current implementation has ~3MB of footprint)
• Can be sandboxed?
• Can be controlled while in execution (e.g. timeout)?
• Can be instructed to allow calls from within the script to only a set of allowed methods (allow-list)?

Proposed initial steps

• [x] build upon the following PR: https://github.com/alfio-event/alf.io/pull/859

• [ ] Evaluate sandboxing capabilities and implement:

  • https://github.com/javadelight/delight-rhino-sandbox
  • https://stackoverflow.com/questions/57275093/how-to-kill-a-rhino-script
  • https://codeutopia.net/blog/2009/01/02/sandboxing-rhino-in-java/

Graal

• https://medium.com/graalvm/nashorn-removal-graalvm-to-the-rescue-d4da3605b6cb
• https://www.infoworld.com/article/3291322/oracle-switch-now-from-nashorn-javascript-engine-to-graalvm.html
• https://www.graalvm.org/reference-manual/js/NashornMigrationGuide/#nashorn-compatibility-mode
• https://github.com/graalvm/graaljs/blob/master/docs/user/NashornMigrationGuide.md#extensions-only-available-in-nashorn-compatibility-mode

[mejrima]

Graal:

• How much footprint does it have? (consider that the current implementation has ~3MB of footprint)❓
• Can be sandboxed? ❓❌ https://medium.com/@shelajev/currently-there-are-no-comprehensive-materials-about-sandboxing-ac38caf0d6d4
• Can be controlled while in execution (e.g. timeout)? ✅ https://gitlri.lri.fr/jlopez/qsl/blob/fabe66525ec1484568552af8b67f1ed2bc5c916c/sdk/docs/PolyglotEmbedding.md#reliable-timeouts-for-malicious-code
• Can be instructed to allow calls from within the script to only a set of allowed methods (allow-list)? ✅ https://github.com/graalvm/graaljs/issues/109
• not fully stable, but money is being invested so it will get better in the coming years
• there is more information about Graal and every query about migration from Nashorn suggests Graal

Rhino:

• How much footprint does it have? (consider that the current implementation has ~3MB of footprint) ❓
• Can be sandboxed? ✅
• Can be controlled while in execution (e.g. timeout)? ✅
• Can be instructed to allow calls from within the script to only a set of allowed methods (allow-list)? ✅
• could also be removed in the next years (?)
• matches more our requirements

[syjer]

for the footprint:

I think the simplest way to evaluate it, is to create a new empty project that include rhino or graaljs with the main that execute a simple script and generate a "fat jar": https://www.baeldung.com/gradle-fat-jar .

This will create a single archive file which include all the dependencies.

[mejrima]

Footprint Rhino: 1.6 MB Footprint Graal: 24.2 MB It is a very big difference.. I hope I did it correctly

[syjer]

I think it's correct :).

Some time ago (~1 year) I did a quick check (by following the biggest dependencies on https://repo1.maven.org/maven2/org/graalvm/js/js/20.2.0/ ) and I was around 20-30mb, so thank you for confirming my impression :+1: