oracle / graaljs

GraalJS – A high-performance, ECMAScript compliant, and embeddable JavaScript runtime for Java
https://www.graalvm.org/javascript/
Universal Permissive License v1.0
1.81k stars 190 forks source link

[FEATURE REQUEST] per script hostAccess permission #665

Closed revintec closed 1 year ago

revintec commented 2 years ago

it's common that a language implementor have some bridge code to enable accessing deeper layer native operations(like JNI let's take javascript for example, assuming it have to write a log buffer -- named logs -- that is an ArrayList<String>

untrustedScript: jsBridge.appendLog("abc") bridgeScript: window.jsBridge={appendLog(msg){logs.push(msg)},...}

logs=new ArrayList<String>();allowHostAccess(HostAccess.newBuilder().allowListAccess(true).build()) sadly is not enough, it only enables list read access but not write access. adding allowListWriteAccess(...) could work but we can't add allowXXX(...) for everything

of course we can make our own class AccessableArrayList<T>{@Export void add(...)}, ListAccessor(...) or ProxyXXX but that requires making wrappers for almost everything, and it sure seems like an overkill


  1. is there any suggested approach to this?

  2. what I would suggest is having separate hostAccess permissions for different scripts(like Java's @CallerSensitive or x86's ring0 privilege modes), e.g. adding Source.Builder.hostAccess(ALL), thus bridgeScript -- which is trusted vender code -- to access all host operations while still isolating untrustedScript from these operations


thanks for considering

iamstolis commented 1 year ago

@revintec, do not expect any news from me - this issue is not assigned to me (I am not responsible for this area).

revintec commented 1 year ago

sorry, typo, at-ed the wrong person

@chumer Hi, is there any update on this? thx

revintec commented 1 year ago

@chumer Hi, is this issue still being considered?

chumer commented 1 year ago

Hi @revintec. Sorry for the late response;

No, we do not have plans to implement this feature. You could implement your own security check at the entry of each method for trusted methods or create separate contexts for trusted/vs untrusted script code.

Generally, I'd not recommend running trusted and untrusted code in the same context, as JavaScript does not have any security boundaries that would enforce this separation.

For polyglot sandboxing we recently wrote some new docs: https://www.graalvm.org/latest/security-guide/polyglot-sandbox/