Java 的脚本引擎
Code injection can occur when untrusted input is injected into dynamically constructed code. One obvious source of potential vulnerabilities is the use of JavaScript from Java code. The javax.script package consists of interfaces and classes that define Java scripting engines and a framework for the use of those interfaces and classes in Java code. Misuse of the javax.script API permits an attacker to execute arbitrary code on the target system.
安全问题 避免代码注入
IDS52-J. Prevent code injection
调用 javascript 一则
final ScriptEngineManager MANAGER = new ScriptEngineManager();
ScriptEngine engine = MANAGER.getEngineByExtension("js");//支持 python lua groovy 等 [在jdk15以后返回null]
//执行js文件
URL uri = ArtRender.class.getResource("/art-template/template-web.js");
Reader reader = IoUtil.getReader(uri.openStream(), CharsetUtil.CHARSET_UTF_8);
Object obj = engine.eval( reader );
//在该上下文, 执行js代码
engine.eval("var __render = template.render");
//字符串执行, 引擎解析时遇到换行, 会认为是一条完整语句. 执行报错, 就**
// engine.eval("template.render( '<div> \r\n"
// +"{{name}} </div>'), {} )");
//调用函数 注意只支持顶级函数, 类似`template.render`有二级路径也不行
Invocable inv = (Invocable)engine;
String res = (String) inv.invokeFunction("__render", source, data);//参数传 java bean
For JDK 17
在jdk15 以后 Remove the Nashorn JavaScript Engine
可以使用 graalvm for js
<!--graalvm for javascript 运行环境-->
<dependency>
<groupId>org.graalvm.sdk</groupId>
<artifactId>graal-sdk</artifactId>
<version>${graalvm.version}</version>
</dependency>
<dependency>
<groupId>org.graalvm.js</groupId>
<artifactId>js</artifactId>
<version>${graalvm.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.graalvm.js</groupId>
<artifactId>js-scriptengine</artifactId>
<version>${graalvm.version}</version>
</dependency>