search

javadelight / delight-nashorn-sandbox

A sandbox for executing JavaScript with Nashorn in Java.
Other
268 stars 81 forks source link

> Nashorn exposes an instance of NashronScriptEngine through the `engine` property. #133

Closed solante1012 closed 1 year ago

solante1012 commented 1 year ago 
    > Nashorn exposes an instance of NashronScriptEngine through the `engine` property.

This allows executing arbitrary code as follows:

sandbox.eval("delete this.engine; this.engine.factory.scriptEngine.compile('var File = Java.type(\"java.io.File\"); File;').eval()");

The test case for this is defined here: Test Engine

Workaround:

It is suggested that this can be resolved when using a SecurityManager.

i am very confused why the POC this.engine.factory.scriptEngine could bypass the sandbox ,Anybody can explain it ? what is the different between engine.factory.getScriptEngine() and this.engine.factory.scriptEngine , and i don't get it because the object factory donn't have a property scriptEngine.

Originally posted by @solante1012 in https://github.com/javadelight/delight-nashorn-sandbox/issues/73#issuecomment-1328490524

mxro commented 1 year ago

Hello there! Thank you for submitting this issue! I think easiest if we continue the discussion in the original issue. So will close this one if you don't mind. Please be welcome to re-open if you think that is required!