Execute Java code which is stored in String

Question

I was wondering about the possibility to send Java Code to a servlet that the servlet will take and execute it?

For example I would send a chunk of code as String, which will be added and executed. Can anybody think of a way of how I would approach this?

Related: http://stackoverflow.com/questions/2946338/how-do-i-programmatically-compile-and-instantiate-a-java-class/2946402#2946402 — BalusC, Feb 21 '12 at 20:51
Could you explain your use case in more detail, specifically why you're trying to execute a `String` at runtime? (That's a pretty serious code smell right there...) — Louis Wasserman, Feb 21 '12 at 21:47

score 1 · Accepted Answer · edited May 23 '17 at 10:34

This is certainly possible - you could send the compiled bytecode Base64-encoded, then decode it at the servlet and use a classloader to load it.

Or you could send a jarfile similarly encoded, save it to disk and add it to a custom URLClassLoader.

You may have major security issues if the code is untrusted, though.

See What are the security risks I should guard against when running user-supplied Java code?

score 0 · Answer 2 · answered Feb 21 '12 at 20:47

0

tools.jar from JDK contains classes to compile Java code (used by Ant etc.), you can also use Eclipse compiler, if you want. It is possible, but from security point of view (code injection etc.) it would be disaster ;)

answered Feb 21 '12 at 20:47

Danubian Sailor

1
38
145
223

*but from security point of view (code injection etc.) it would be disaster*; then why mention it? – Aug 22 '12 at 14:45
2

Because of belief in freedom of choice ;) – Danubian Sailor Aug 22 '12 at 17:45

Execute Java code which is stored in String

2 Answers2