rhinorhino-security

Remove additional function from Rhino shell


I want to use Rhino as a sandbox to run user supplied scripts on a server. I want to do that from PHP, which doesn't have Java bindings any more, so I have to use the command line interface (Rhino shell).

Unfortunately the Rhino shell adds some intrinsic functions to the environment that ruin the sandbox character, like file access and runCommand() which allows runnning arbitrary commands on the system.

Is there a way to disable them?


Solution

  • I found that I can just overwrite them with null or delete them:

    runCommand = null;
    delete runCommand;
    

    I can find out which global functions and objects there are by getting all properties of the Global, which is stored in this:

    Object.getOwnPropertyNames(this);