-
Bug
-
Resolution: Fixed
-
P4
-
None
-
8, 9
-
generic
-
generic
https://docs.oracle.com/javase/8/docs/technotes/guides/scripting/nashorn/api.html#classfilter_introduction
needs rewording. This section seems to suggest that it is safe to run any untrusted script just by using a ClassFilter. While ClassFilter can prevent access to Java classes, this by itself is not enough to run sandboxed/untrusted scripts.
ClassFilter by itself is not a replacement for SecurityManager. It is used to be used along with the SecurityManager. Please check the JEP on ClassFilter here: http://openjdk.java.net/jeps/202. The JEP clearly states this in it's "non goals" section:
/ Make security managers redundant for scripts. Embedding applications should still turn on security management before evaluating scripts from untrusted sources. Class filtering alone will not provide a complete script "sandbox." Even if only untrusted scripts (with no additional Java classes) are executed, a security manager should still be utilized. Class filtering provides finer control beyond what a security manager provides. For example, a Nashorn-embedding application may prevent the spawning of threads from scripts or other resource-intensive operations that may be allowed by security manager./
The guide should reflect this aspect clearly.
needs rewording. This section seems to suggest that it is safe to run any untrusted script just by using a ClassFilter. While ClassFilter can prevent access to Java classes, this by itself is not enough to run sandboxed/untrusted scripts.
ClassFilter by itself is not a replacement for SecurityManager. It is used to be used along with the SecurityManager. Please check the JEP on ClassFilter here: http://openjdk.java.net/jeps/202. The JEP clearly states this in it's "non goals" section:
/ Make security managers redundant for scripts. Embedding applications should still turn on security management before evaluating scripts from untrusted sources. Class filtering alone will not provide a complete script "sandbox." Even if only untrusted scripts (with no additional Java classes) are executed, a security manager should still be utilized. Class filtering provides finer control beyond what a security manager provides. For example, a Nashorn-embedding application may prevent the spawning of threads from scripts or other resource-intensive operations that may be allowed by security manager./
The guide should reflect this aspect clearly.