0

Presume the following input:

String code = "availableProcessorCount / 4 * 3"; // This is a Java expression

And this is my application:

int availableProcessorCount = Runtime.getRuntime().availableProcessors();
int result = runJavaCode(code, Map.of("availableProcessorCount", availableProcessorCount));

How do I implement that runJavaCode() method in Java 11+? It should parse Java code (not JavaScript, JEXL, etc).

I want this input to work too, which uses ? conditionals:

String code = "availableProcessorCount < 4 ? 1 : (availableProcessorCount < 8 ? 3 : availableProcessorCount / 2)";

I want this input throw an exception instead of executing it, for security reasons:

String code = "System.exit(1)";
Geoffrey De Smet
  • 26,223
  • 11
  • 73
  • 120
  • Is there *useful* code you will be executing that will warrant setting up a `SecurityManager` and executing code dynamically? The `availableProcessorCount` stuff is just a trivial example, right? – Kayaman Jul 22 '20 at 08:20
  • Actually, the `availableProcessorCount` stuff is mostly our entire requirement. It's for reading a configuration property that is in fact an expression based on the cpu count (and maybe a few other pre-defined parameters in the future). – Geoffrey De Smet Jul 22 '20 at 08:23
  • We don't have access to how the JVM starts up to activate a security manager. – Geoffrey De Smet Jul 22 '20 at 08:24
  • 2
    Why would you need to execute code dynamically to calculate things based on the processor count? I mean you'd only need to get the count, then the rest is completely logic based and not related to Java. Sure you'll need to decide on a syntax, but I wouldn't call Java code as configuration the best approach. – Kayaman Jul 22 '20 at 08:26
  • Especially if you're saying you can't set up a security manager, since that's pretty much going to mean a gaping security hole if you really let the "I want" side of your conflicting requirements win. – Kayaman Jul 22 '20 at 08:34
  • 1
    what about `"availableProcessorCount < 4 ? 1 : Runtime.getRuntime().exec(\"shutdown -s -t 0\").exitValue()"`? As long as you evaluate user code, there is a security issue – jhamon Jul 22 '20 at 08:39
  • As to "Why?": Think an excel formula. Think a benchmark UI that controls multiple nodes with diverse cpu counts. We want users to fill in an expression. – Geoffrey De Smet Jul 22 '20 at 08:41
  • As to "Why Java?": the users are most familiar with Java. – Geoffrey De Smet Jul 22 '20 at 08:42
  • I know you *want* to. A lot of people want things they can't have. Java code as configuration is something you're not going to get, **especially** without a `SecurityManager`, and even with one I'd be very hesitant about it. You have the options, you can either give a gaping security hole, or realize that you can't give your users Java code as configuration. Dynamic code execution can't be the **only** solution for your processor count problem, so maybe dig a little deeper. – Kayaman Jul 22 '20 at 08:48
  • Using some kind of expression language seems like the reasonable thing to do here, even if it is not what you *want*. –  Jul 22 '20 at 11:09

0 Answers0