-
Notifications
You must be signed in to change notification settings - Fork 857
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EXPERIMENTAL: Remove SecurityManager #1353
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR contains some thoughts. Maybe more code can be removed/simplified (like SecureCaller)
@@ -132,7 +101,7 @@ public synchronized void setCachingEnabled(boolean enabled) { | |||
} | |||
|
|||
/** @return a map from classes to associated JavaMembers objects */ | |||
Map<CacheKey, JavaMembers> getClassCacheMap() { | |||
Map<Class, JavaMembers> getClassCacheMap() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No security context -> We can revert this change #1019
@@ -23,8 +23,7 @@ public Class<?> defineClass(String name, byte[] data) { | |||
// Use our own protection domain for the generated classes. | |||
// TODO: we might want to use a separate protection domain for classes | |||
// compiled from scripts, based on where the script was loaded from. | |||
return super.defineClass( | |||
name, data, 0, data.length, SecurityUtilities.getProtectionDomain(getClass())); | |||
return super.defineClass(name, data, 0, data.length, getClass().getProtectionDomain()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CHECKME: Would we need a protectionDomain at all?
if (protectionDomain == null) { | ||
protectionDomain = JavaAdapter.class.getProtectionDomain(); | ||
} | ||
ProtectionDomain protectionDomain = JavaAdapter.class.getProtectionDomain(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CHECKME: can this be simplified?
@@ -319,8 +318,7 @@ private void discoverAccessibleMethods( | |||
if (isPublic(mods) || isProtected(mods) || includePrivate) { | |||
MethodSignature sig = new MethodSignature(method); | |||
if (!map.containsKey(sig)) { | |||
if (includePrivate && !method.isAccessible()) | |||
method.setAccessible(true); | |||
VMBridge.instance.tryToMakeAccessible(method); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CHECKME: Do we need a VMBridge for java 11/17?
I think that we should do this after the 1.7.15 release -- at that point I want to reorganize the source files (git seems to be smart enough to make that less of a nightmare), upgrade the build to require Java 11 minimum, and then this can be one of the first things that we address. |
I've resolved the merge conflicts here, but I will still consider this as experimental: Maybe we shoud first decide, if we still need for VMBridge / VMBridge_jdk18, repectively JavaMembers / JavaMembers_jdk11 I don't know, if there are still use cases, where someone needs its own VMBridge, but trying to load As minimum JVM version is now 11, there will be also no need for JavaMembers / JavaMembers_jdk11 |
Converted as draft as still considered experimental by the author |
@rPraml in the mentioned discussion you said your company currently heavily relies on the SecurityManager to prevent untrusted JavaScript code from doing stuff that is not allowed. Have you come up with an alternative approach achieving the same that didn't rely on the SecurityManager? |
@p-bakker We do not longer rely on SecurityManager and I would agree, if it will be removed from rhino (in 2.0?) Long story: In the beginning we tried to allow the end user to edit our JavaScript code, where we have modelled a lot of our business logic. We found ways to bypass these mechansims (e. g. Debugging and fixing one security issue brings the next to light... (it was a pain, to find a good balance, to enable features and yet offer enough security) With the knowledge of JEP411, we abandoned the idea that we could ever provide a JavaScript user interface where the end user cannot compromise the system. So in our current application, we have forbidden to view/edit JavaScript code to the end user |
Right, was afraid of that. I guess the only way to allow untrusted script to run 'securely' is to disable Java Interop completely and create custom host objects (Scriptable's) that expose whatever domain logic you want to expose And 'securily' in brackets, because:
|
Wrt to removing the SecurityManager: while it has been delayed for removal, to my knowledge is not clear yet in which Java version it'll actually be removed, no? I propose to leave it in Rhino at least until after the next release, as the next release is sharing up to be a significant improvement on the EcmaScript-compatibility side (amongst other improvements) and I rather not lock Rhino users out of those goodies if they currently depend on the SecurityManager What I think we could do though is mark the relevant methods as deprecated, include a note about it in the release notes and maybe write some documentation about security with Rhino in general and about moving away from the SecurityManager specifically |
In https://openjdk.org/jeps/411 they said
But as far as I see, this hasn't been done yet. There are no relevant changes in There is a comment in https://bugs.openjdk.org/browse/JDK-8264713 where someone asked for a date. The only thing I noticed, that some testcases print the warning
on the console since some time. |
Hello, I want to discuss, if it is already time to remove the dependency to SecurityManager from Rhino.
There was already a discussion, where I was involved: #972 (comment)
and the last days I found some time to update our fork.
Why should we remove the dependency to securityManager
Why shouldn't we remove it
This PR is radical and removes all code pieces, that relate to SecurityManager.
(Note: I've made an earlier PR, where I moved all stuff to a "SecurityBridge". See: #1068)
Maybe you can provide some feedback, what will be a good way to go here?