2

After setting up a JavaScript-ScriptEngine like this:

import javax.script.ScriptEngineManager;
import javax.script.ScriptEngine;
import javax.script.ScriptException;


public class Compute {

  public static void main(String[] args){
    try{

      ScriptEngineManager mgr = new ScriptEngineManager();
      ScriptEngine engine = mgr.getEngineByName("JavaScript");

      System.out.println(engine.eval(args[0]));
    } 
    catch(Exception e){
      System.out.println("Syntax Error!");
    }
  }

}

Why can you do things like: java Compute "java.util.Arrays.toString(new java.io.File(\".\").listFiles())"

Isn't the ScriptEngine for "JavaScript" supposed to execute JS only?

Any links on what the Engine actually does or why this is possible, would be greatly appreciated.

(edit: This is no duplicate of security problem with Java ScriptEngine, as I want to know why this is possible, not how to avoid it)

Improve this question
5
  • Possible duplicate of security problem with Java ScriptEngine Commented Jan 1, 2016 at 6:14
  • Looking at the ScriptEngineFactory::getMethodCallSyntax() method, it seems to me that the idea is to allow you to build dynamic script (in your case, JavaScript) functions and then execute them. I wouldn't put money on that answer, but it's what I found with some quick searching. Didn't even know you could do this, but makes sense. Fascinating! Commented Jan 1, 2016 at 6:16
  • ah.. so getMethodCallSyntax() acts as a converter to adapt my Java-code to something JS can execute? Commented Jan 1, 2016 at 6:28
  • Do you want to know why this feature was provided or how this is implemented ? Commented Jan 1, 2016 at 8:52
  • why it was provided and why the official documentations tell you so few about it, is my biggest interest :) Commented Jan 1, 2016 at 9:04

1 Answer 1

Reset to default
2

You have to stop and think for a moment what exactly a scripting engine is used for. To quote the officicial documentation (which is a recommended read on the topic):

With the Java Scripting API, it is possible to write customizable/extendable applications in the Java language and leave the customization scripting language choice to the end user

The point is you write your big old application in Java, and then have another party (which could be the end user, application developers using your "engine/framework", or dedicated consultants if you are an Enterprise-level shop) customize it to suit their needs.

This customization takes place in a non-compiled language (i.e. script), like javascript (ECMAScript). The scripting engine allows interaction with the Java classes in exactly the way your little test script demonstrates. After all, this interaction is the whole point of having a scripting engine in the first place.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.