Package delight.nashornsandbox.internal
Class JsSanitizer
- java.lang.Object
-
- delight.nashornsandbox.internal.JsSanitizer
-
public class JsSanitizer extends java.lang.Object
JavaScript sanitizer. Check for loops and inserts function call which breaks script execution when JS engine thread is interrupted.Created on 2017.11.22
- Version:
- $Id$
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description private static class
JsSanitizer.PoisonPil
-
Field Summary
Fields Modifier and Type Field Description private boolean
allowNoBraces
true
when lack of braces is allowed.private static java.util.List<java.lang.String>
BEAUTIFY_FUNCTIONS
The beautify function search list.private static java.lang.String
BEAUTIFY_JS
The resource name of beautify.min.js script.private static java.util.Map<java.lang.String,java.lang.Object>
BEAUTIFY_OPTIONS
The beautifier options.private static java.lang.ref.SoftReference<java.lang.String>
beautifysScript
Soft reference to the text of the js script.(package private) static java.lang.String
JS_INTERRUPTED_FUNCTION
The name of the JS function to be inserted into user script.(package private) static java.lang.String
JS_INTERRUPTED_TEST
The name of the variable which holds reference to interruption checking class.private java.util.function.Function<java.lang.String,java.lang.String>
jsBeautify
JS beautify() function reference.private static java.util.List<java.util.regex.Pattern>
LACK_EXPECTED_BRACES
Pattern for back braces.private static java.util.List<JsSanitizer.PoisonPil>
POISON_PILLS
private javax.script.ScriptEngine
scriptEngine
private SecuredJsCache
securedJsCache
-
Constructor Summary
Constructors Constructor Description JsSanitizer(javax.script.ScriptEngine scriptEngine, boolean allowBraces, SecuredJsCache cache)
JsSanitizer(javax.script.ScriptEngine scriptEngine, int maxPreparedStatements, boolean allowBraces)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description private void
assertScriptEngine()
private static java.util.function.Function<java.lang.String,java.lang.String>
beautifierAsFunction(java.lang.Object beautifyScript)
(package private) java.lang.String
beautifyJs(java.lang.String js)
(package private) void
checkBraces(java.lang.String beautifiedJs)
After beautifier every braces should be in place, if not, or too many we need to prevent script execution.private void
checkJs(java.lang.String js)
private SecuredJsCache
createSecuredJsCache(int maxPreparedStatements)
private static java.lang.Object
getBeautifHandler(javax.script.ScriptEngine scriptEngine)
private static java.lang.String
getBeautifyJs()
private java.lang.String
getPreamble()
(package private) java.lang.String
injectInterruptionCalls(java.lang.String str)
private SecuredJsCache
newSecuredJsCache(int maxPreparedStatements)
java.lang.String
secureJs(java.lang.String js)
private java.lang.String
secureJsImpl(java.lang.String js)
-
-
-
Field Detail
-
BEAUTIFY_JS
private static final java.lang.String BEAUTIFY_JS
The resource name of beautify.min.js script.- See Also:
- Constant Field Values
-
BEAUTIFY_FUNCTIONS
private static final java.util.List<java.lang.String> BEAUTIFY_FUNCTIONS
The beautify function search list.
-
JS_INTERRUPTED_FUNCTION
static final java.lang.String JS_INTERRUPTED_FUNCTION
The name of the JS function to be inserted into user script. To prevent collisions random suffix is added.- See Also:
- Constant Field Values
-
JS_INTERRUPTED_TEST
static final java.lang.String JS_INTERRUPTED_TEST
The name of the variable which holds reference to interruption checking class. To prevent collisions random suffix is added.- See Also:
- Constant Field Values
-
POISON_PILLS
private static final java.util.List<JsSanitizer.PoisonPil> POISON_PILLS
-
BEAUTIFY_OPTIONS
private static final java.util.Map<java.lang.String,java.lang.Object> BEAUTIFY_OPTIONS
The beautifier options. Don't change if you are not know what you are doing, because regexps are depended on it.
-
beautifysScript
private static java.lang.ref.SoftReference<java.lang.String> beautifysScript
Soft reference to the text of the js script.
-
scriptEngine
private final javax.script.ScriptEngine scriptEngine
-
jsBeautify
private final java.util.function.Function<java.lang.String,java.lang.String> jsBeautify
JS beautify() function reference.
-
securedJsCache
private final SecuredJsCache securedJsCache
-
allowNoBraces
private final boolean allowNoBraces
true
when lack of braces is allowed.
-
LACK_EXPECTED_BRACES
private static final java.util.List<java.util.regex.Pattern> LACK_EXPECTED_BRACES
Pattern for back braces.
-
-
Constructor Detail
-
JsSanitizer
JsSanitizer(javax.script.ScriptEngine scriptEngine, int maxPreparedStatements, boolean allowBraces)
-
JsSanitizer
JsSanitizer(javax.script.ScriptEngine scriptEngine, boolean allowBraces, SecuredJsCache cache)
-
-
Method Detail
-
assertScriptEngine
private void assertScriptEngine()
-
getBeautifHandler
private static java.lang.Object getBeautifHandler(javax.script.ScriptEngine scriptEngine)
-
createSecuredJsCache
private SecuredJsCache createSecuredJsCache(int maxPreparedStatements)
-
newSecuredJsCache
private SecuredJsCache newSecuredJsCache(int maxPreparedStatements)
-
checkBraces
void checkBraces(java.lang.String beautifiedJs) throws BracesException
After beautifier every braces should be in place, if not, or too many we need to prevent script execution.- Parameters:
beautifiedJs
- evaluated script- Throws:
BracesException
- when braces are incorrect
-
injectInterruptionCalls
java.lang.String injectInterruptionCalls(java.lang.String str)
-
getPreamble
private java.lang.String getPreamble()
-
checkJs
private void checkJs(java.lang.String js)
-
secureJs
public java.lang.String secureJs(java.lang.String js) throws javax.script.ScriptException
- Throws:
javax.script.ScriptException
-
secureJsImpl
private java.lang.String secureJsImpl(java.lang.String js) throws BracesException
- Throws:
BracesException
-
beautifyJs
java.lang.String beautifyJs(java.lang.String js)
-
getBeautifyJs
private static java.lang.String getBeautifyJs()
-
beautifierAsFunction
private static java.util.function.Function<java.lang.String,java.lang.String> beautifierAsFunction(java.lang.Object beautifyScript)
-
-