scripting language - to execute on the server

Question

I'm looking for a scripting language that would be:

a scripting language that is embeddable in Java
- actually I mean something that will not be executed as a native code, but interpreted
secure (users would upload their scripts which would then execute on the server)
- no access to anything outside some 'sandbox', no access to threads, I/O, etc.
- Just flow control + algorithms/data structures (maybe some predefined "classes", like collections) + interaction with explicitly provided API
it would be possible to limit execution time per script (n seconds or n instructions)
- it is possible if the language is interpreted. For example: replace each instruction with "check if I should execute the next instruction and execute it or quit"
have simple and readable syntax

The ultimate goal is to be able to run untrusted code which should only be able to use provided API, without breaking anything (like entering infinite loops / consuming too much resources / accessing anything except provided API)

Is there some existing language that I could use?

@Supericy - only recent versions of Java, I think. Besides, that only addresses the first criterion. — Stephen C, May 05 '13 at 01:43

score 1 · Answer 1 · answered May 04 '13 at 23:41

1

Consider the Bean Scripting Framework, which will offer you a choice of different languages.

answered May 04 '13 at 23:41

Stefan Paletta

378
1
7

Stephen C · Answer 2 · 2013-05-05T01:14:02.913

First off, I can't think of any language that meets all of those criteria. But it might be helpful to analyse the requirements to understand why:

1) a scripting language that is embeddable in Java

Certainly embeddable scripting languages do exist, though it depends on your definition of a scripting language. Would a simple expression language be a "scripting language"?

2) secure (users would upload their scripts which would then execute on the server)

This is difficult. The problem is ... how can you tell if a language implementation is secure? In simple cases (e.g. a "calculator" language) it is easy, but how would you justify a conclusion that (say) the Rhino Javascript interpreter or JRuby or JPython is secure? (And what does "secure" actually mean?)

Note: if your scripting language allows a script to call Java classes or (shudder) native code, your problem is now roughly equivalent to asking if Java is secure in the face of running arbitrary untrusted code in the JVM. (The answer is NO ... and certainly not while there are unpatched / undiscovered security holes in Java.)

3) it would be possible to limit execution time per script (n seconds or n instructions)

This is theoretically possible, provided that the language has very limited interactions with the Java world. But in the general case you run into the Java "how to safely stop an uncooperative thread" problem ... to which there is no solution in a standard JVM.

A couple of aspects that are difficult to deal with are:

anything involving threads,
script-to-Java method calls that take a long time,
blocking I/O.

(And you also need to consider other "activities" that might disrupt your system; e.g. creating huge data structures, locking objects in the host JVM, or doing things designed to consume system-level resources; e.g. fill up the file system, or drain the system's entropy pool.)

4) have simple and readable syntax

That is something you will need to judge for yourself. (Readability / simplicity cannot be measured objectively ...)

I'll clarify in my question, I understand your concerns – mabn May 05 '13 at 03:33 — mabn, May 05 '13 at 03:33

scripting language - to execute on the server

2 Answers2