2

After setting up a JavaScript-ScriptEngine like this:

import javax.script.ScriptEngineManager;
import javax.script.ScriptEngine;
import javax.script.ScriptException;


public class Compute {

  public static void main(String[] args){
    try{

      ScriptEngineManager mgr = new ScriptEngineManager();
      ScriptEngine engine = mgr.getEngineByName("JavaScript");

      System.out.println(engine.eval(args[0]));
    } 
    catch(Exception e){
      System.out.println("Syntax Error!");
    }
  }

}

Why can you do things like: java Compute "java.util.Arrays.toString(new java.io.File(\".\").listFiles())"

Isn't the ScriptEngine for "JavaScript" supposed to execute JS only?

Any links on what the Engine actually does or why this is possible, would be greatly appreciated.

(edit: This is no duplicate of security problem with Java ScriptEngine, as I want to know why this is possible, not how to avoid it)

Community
  • 1
  • 1
Andres R
  • 103
  • 1
  • 7
  • Possible duplicate of [security problem with Java ScriptEngine](http://stackoverflow.com/questions/1878052/security-problem-with-java-scriptengine) – Erwin Bolwidt Jan 01 '16 at 06:14
  • Looking at the [`ScriptEngineFactory::getMethodCallSyntax()`](https://docs.oracle.com/javase/7/docs/api/javax/script/ScriptEngineFactory.html#getMethodCallSyntax(java.lang.String,%20java.lang.String,%20java.lang.String...)) method, it seems to me that the idea is to allow you to build dynamic script (in your case, JavaScript) functions and then execute them. I wouldn't put money on that answer, but it's what I found with some quick searching. Didn't even know you could do this, but makes sense. Fascinating! – Matthew Herbst Jan 01 '16 at 06:16
  • ah.. so getMethodCallSyntax() acts as a converter to adapt my Java-code to something JS can execute? – Andres R Jan 01 '16 at 06:28
  • Do you want to know why this feature was provided or how this is implemented ? – 11thdimension Jan 01 '16 at 08:52
  • why it was provided and why the official documentations tell you so few about it, is my biggest interest :) – Andres R Jan 01 '16 at 09:04

1 Answers1

2

You have to stop and think for a moment what exactly a scripting engine is used for. To quote the officicial documentation (which is a recommended read on the topic):

With the Java Scripting API, it is possible to write customizable/extendable applications in the Java language and leave the customization scripting language choice to the end user

The point is you write your big old application in Java, and then have another party (which could be the end user, application developers using your "engine/framework", or dedicated consultants if you are an Enterprise-level shop) customize it to suit their needs.

This customization takes place in a non-compiled language (i.e. script), like javascript (ECMAScript). The scripting engine allows interaction with the Java classes in exactly the way your little test script demonstrates. After all, this interaction is the whole point of having a scripting engine in the first place.

Paul-Jan
  • 16,746
  • 1
  • 63
  • 95