TechQA.

GraalVM: forbidding methods of certain classes to be called from scripts

291 views Asked by At

We are using GraalVM for some scripting requirements in our product. The version of the GraalVM is 21.2.0 We are using JavaScript and Groovy. We want to forbid some methods on certain classes from using in scripts. Example :

mytest.js

var testService=Java.type('mypackage.TestService');
    new testService().forbiddenJavaMethod();  // this should not be called

TestService.java

package mypackage;
    
    public class TestService{
        
        public void forbiddenJavaMethod(){
            // business logic
        }
    
    }

Is there a way to achieve this in Graal ? I could not find a way to do "method" filtering. Any other approach to solve this?

javascript java groovy graalvm graaljs
Original Q&A
2

There are 2 answers

2
BoriS On

You can configure host access when configuring the context. Namely

public Context.Builder allowHostAccess(HostAccess config)

https://www.graalvm.org/truffle/javadoc/org/graalvm/polyglot/Context.Builder.html#allowHostAccess-org.graalvm.polyglot.HostAccess-

Where the host access can be

HostAccess.EXPLICIT - Java host methods or fields, must be public and be annotated with @Export to make them accessible to the guest language.

https://www.graalvm.org/truffle/javadoc/org/graalvm/polyglot/HostAccess.html

Or you can go into a lot more fine-grained control using the HostAccess.Builder

https://www.graalvm.org/truffle/javadoc/org/graalvm/polyglot/HostAccess.Builder.html

4
colouredmirrorball On

If you can't use HostAccess.EXPLICIT for some reason (eg. you want to keep access to java.util etc), then you can create custom wrapper classes that only expose the relevant methods. With allowHostClassLookup() you can limit which classes are exposed in the engine.

public class Example {
    public static void main(String[] args) {
        TestService service = new TestService();
        Context.Builder builder = Context.newBuilder("js")
            .allowHostAccess(HostAccess.ALL)
            .allowHostClassLookup(path -> path.endsWith("TestServiceScriptable"));
        GraalJSScriptEngine engine = GraalJSScriptEngine.create(null, builder);
        engine.put("service", TestServiceScriptable.newInstance(service));
    }

}


public class TestService {
    public void forbiddenJavaMethod() {
        System.out.println("forbidden!");
    }
    public void allowedMethod() {
        System.out.println("allowed");
    }
}

public class TestServiceScriptable {
    private final TestService service;

    private TestServiceScriptable(TestService service) {
        this.service = service;
    }

    public static TestServiceScriptable newInstance(TestService service) {
        return new TestServiceScriptable(service);
    }


    public void allowedMethod() {
        service.allowedMethod();
    }
}

Then:

// Should work
service.allowedMethod();

// Shouldn't work
service.forbiddenMethod();

Related Questions in JAVASCRIPT

Related Questions in JAVA

Related Questions in GROOVY

Related Questions in GRAALVM

Related Questions in GRAALJS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Trending Questions