For example, when
new classloader() {};
Java.security.accesscontrolexception will be thrown. Is there any risk that OJ allows submitters to build their own classloader? Is there any alternative for function defineclass()?
Security policies are associated with code locations. Since a ClassLoader can specify the code location for the classes it defines, it could dodge restrictions applying to its own code location.
When you use MethodHandles.lookup().defineClass(…) you can only create classes within your own context, hence, not use it to expand your privileges. Therefore, you can use it even when a security manager is installed, as long as your lookup object has the necessary full privileges.
So, when I run the example of this answer under JDK 14 or newer with the
-Djava.security.manager option, it runs smoothly without requiring any permissions.
So when the mentioned online execution environments run under JDK 14 or newer, you can use this method for dynamic code generation.