This question already has answers here:
How to prevent code injection attacks in PHP?
(8 answers)
Closed 6 years ago.
I have a form data which recieved java code from user and store it in the database.
So how do I sanitize the input to make sure that it is indeed java code?
what do you want to achiveve with that, you want to save java code to database?, well if you want to do something like that then you need regular expressions i think, thats the first thing it comes to my head
This sounds somewhat dangerous (not the storing of java text code in a DB), but why would such a use case come up. Nevertheless...
If you are not going to be expecting all aspects of the Java language, you may want to look into BeanShell. Beanshell can take java source code and evaluate it without compiling. You can likely "source" the code without executing it. If it passes, then it is java code, if not, then it is not java code. However, Beanshell does not accept all modern syntax and structures of newer Java editions.
One easy way to verify that it is indeed java code is to try to compile it (this of course gets messy if the code requires dependencies). If you do take this route, then make sure you are compiling in a DMZ computer/user (I am not aware of any risks of compiling untrusted code, but there might be).... just don't run the code after you compile it!
Related
This question already has answers here:
What is a Java ClassLoader?
(8 answers)
Closed 5 months ago.
I'm still fairly new to java and currently working on a text-based adventure game as a practice project.
The engine loads scenes to play that are all child-classes from a "Scene" superclass and appear as for eg. "dungeon.java". Now I want the game to be expandable.
The ideas is that a user can drop new scenes as .java-files into a "Scenes" folder and everytime the game is launched it reads all files in that folder and safes them into a "Scene"-class array.
My problem is that I don't know how to code this. I googled a lot and tried various phrasings but all I can find are tutorials for reading lines from txt-files or similar.
Is it even possible to read a complete file into a variable without serialzation?
I already tried the following code, but didn't get around to test it yet.
private static void buildScenePool() {
File scenesFolder = new File("/scenes");
\\ setup filter for .java files
FilenameFilter javafilter = (dir, name) -> name.endsWith(".java");
File[] sceneList = scenesFolder.listFiles(javafilter);
\\ create new arry large enough for all scenes
allScenes = new Scene[sceneList.length];
try{
FileInputStream fileIn = new FileInputStream(scenesFolder);
ObjectInputStream objectIn = new ObjectInputStream(fileIn);
\\ iterate trough the list array and safe files to array
for (int x = 0; x < allScenes.length; x++) {
allScenes[x] = objectIn.readObject( (Scene)sceneList[x] );
}
objectIn.close;
} catch (IOException e) {
System.err.println(e.toString());
}
}
This is rather very complicated. java code is normally compiled, and thus, that means you'd have to scan for a new java file, compile it (which is its own complicated ordeal, as that also means setting up the classpath and the like properly so that the compiler knows what to do), then load in the class file the compiler produced, and then call the appropriate methods in there.
You can do that. It's just, quite complicated. Your standard JVM doesn't necessarily even ship with a compiler; this is solvable too (either demand that this runs only on one that does, and the modern deployment rules for java involve you getting a JVM on your user's machines, so you thus pick one that does include a compiler – or you can just ship the compiler as dependency with your app, javac is itself a java app and runs on any JVM).
However, the more usual approach is to not actually use java for this. Instead, use something java-like, but not java: Scripting languages, like groovy, or javascript (okay, that is not particularly java-like perhaps).
That is its own sort of complication. There are no easy answers to any of this.
I think it's time to first think broad strokes and determine how you want the user's experience (that is, a user that wants to add a scene) should be, and then ask a new SO question about your specific choice.
You write em, they install em
In this model, users simply download or pick a 'scene' impl that someone else wrote (a 'real' programmer with a full fork of the entire source code, an IDE, a build tool, the works). Don't knock it - programming is hard, and saying: "Oh, look, anybody can customize a scene, it's easy, just open notepad.exe, write something like this (example java file here), and dump it in the Scene folder and off you go!", but this is not at all easy. To us programmers that seems familiar at least, but to your average user you're asking them to just rattle off a poem in ancient sumerian - normal people don't program. And if they do program, they're programmers. They would much rather get instructions about how to fork a project and set it up in an IDE than some bizarreness about tossing raw java files someplace.
Scripting
This is what Processing (for programming arduinos) does, more or less what webbrowsers did (which explains why javascript is so weird), and most 'plugin systems' for pseudo-smart editors like TextMate and Emacs do: You script them. As in, you fully buy into the idea that the custom stuff written by the user is extremely simple and highly targeted (really only makes sense to run within the confines of your app, not as standalone stuff - and dependencies don't generally come up), and pick a language that fits that model, and java certainly is not that.
Obvious options are javascript and groovy. This is certainly possible but not at all easy. Still, if you're interested, search the web for tutorials on how to run javascript or groovy inside a JVM, and you'll get plenty of hits.
Java code, and you compile it
That's what your question is positing as only option. I don't recommend it, but you can do this if you must. Be aware that it seems to me, based on the way you worded your question and your example code which makes various newbie mistakes (such as print-and-continue exception handling, which is always wrong, using obsolete APIs, and messing with built-in serialization) that this is a few ballparks beyond your current skillset. A challenge is always cool, so, if you want to go for it, you should! Just be aware it'll be the most difficult thing you've ever written and it'll take a few fully dedicated weeks, with a lot of reading and experimenting.
Just definitions, really
The central tenet so far has been that you can actually program. Instructions that make the machine act in certain ways. Possibly you don't need any of that. If a Scene is really just a background colour and a few widgets displayed here and there, should it even be code at all? Maybe you just want a declarative setup: The plugin/scene writer just declares certain properties and that's all they get to do, you just 'run' such a declarative definition. In which case the 'language' of the declaration can be in JSON, XML, YAML, TOML, or any other format designed for configuration files and such, and you can forego the hairy business of attempting to compile/run user-provided code in the first place.
In order to load the Java classes into your application, you need to compile them. You could do this from Java by invoking the javac executable. See Starting a process in Java? for instructions on how you could do that. Once compiled, you'd then need to load the classes into the JVM using a class loader, e.g. by invoking ClassLoader.defineClass. You probably want to configure a protection domain as well, to prevent user provided classes from misbehaving.
However, Java might not be the best approach for extending your application. You could consider using a scripting language instead, like JavaScript. See Nashorn (an open source script engine that was included in previous versions of Java, and that can now be downloaded separately) and the Java Scripting Programmer's Guide for more information.
I am in the process of moving some old ColdFusion source code across to Java. Most of it is in CFScript format and this does a good enough job of converting CFML to CFScript: https://cfscript.me/ (Thanks Pete Freitag)
I wonder if there are utilities to convert CFScript source to Java source code. Note: I am NOT talking about decompiling java class bytecode.
The CFScript syntax is pretty close to Java syntax and I am looking for a way to do some of the heavy lifting to reduce the amount of hand-editing.
Any thoughts? If not, I might have a go at writing something.
Thanks,
Murray
EDIT: More background:
I want to migrate an application completely from CF to Java. But, it is a big app and my idea is to incrementally create "drop in" java classes to replace existing CFCs and write new code as Java classes in the meantime. I can execute a Java class in CF and use CFCs in Java via createDynamicProxy().
At its most simple form I can then change from
someObj = createObject("component","SomeCFC");
msg = someObj.getMessage();
to
someObj = createObject("java","SomeClass");
msg = someObj.getMessage();
I am not looking to "port" it (as we would say in the old days ;-) ), just to run the CFC through a "parser" that did some of the obvious code changes before I then work through and fix the harder stuff and refactor. That way, at least I have the business logic and same methods and I can run it through the tests.
This might be pie-in-the-sky but I imagine I am not the first person who needed to go down this particular migration path.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How do I “decompile” Java class files?
I m new to java and i was wondering if there is a way to retrieve the source code of a file (i.e. the .java file) from its compiled file (.class file).
I have read about the compilation process i.e. about the parsing, the syntax and semantics trees, the intermediate code generation, macros used etc. It sounded like a very complex process. Reverse engineering it will be even more difficult. Therefore, I think it is not possible but i had to ask. I googled it but couldn't find anything satisfactory.
Also i learnt about code-obfuscation in my class. If de-compilation is possible how will it behave for an obfuscated file?
Thanks in advance.
[edit : I won't complete the answer as this question is a duplicate, this is just an additionnal comment on the second part of the question]
When you obfuscate a class, you remove everything that isn't needed for the execution but is present in the file, like the names of the method.
In fact, obfuscating an isolated class doesn't remove a lot because other classes need the names of the methods or visible fields. So usually you obfuscate a group of class togethers using a tool like proguard.
Yes there is, very simple by the way, get a program called DJ Java Decompiler (search in google it's easy to find) and after you install it, you just have to open the .class file, and it shows the code all formatted and indented.
Microsoft Windows only application
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Convert String to code in Java
Dynamic code execution on Java
I have a String containing : "for(int i=0 ; i<5 ; i++){System.out.println(\"*\");}"
Can I execute the code in this String in Java?
Since Java 6, you can compile and run a Java compilation unit defined as a String or a File using standard APIs in the SDK (a compilation unit is basically everything that goes inside a .java file - package, imports, classes/interfaces/enumerations), take a look at this example. You can't run an arbitrary Java snippet like the one in your question, though.
If at all possible, it'd be a better idea to embed a different scripting language that allows you to run snippets of code from a Java program - for example, JavaScript, Groovy, MVEL, BeanShell, etc.
If you turn it into a full-blown source file, you can feed it to the java compiler programmatically, but last time I checked that was only available if you had the java SDK installed on your machine; it was not available on machines with the client distribution of Java. Of course, this may have changed since then. Look at package com.sun.tools.javac and you will find the java compiler API there.
Maybe you can run this as Groovy:
http://groovy.codehaus.org/Embedding+Groovy
There isn't a Java Core API function for doing this, but you can call javac either by using Runtime.exec or using some "unsafe" classes from com.sun.tools.javac Here's an example:
http://juixe.com/techknow/index.php/2006/12/12/invoke-javac-at-runtime/
I don't think you can execute a String containing a java code.
But it is worth a try if you can save that as a java source file and try to use ProcessBuilder class to execute.
Never tried it and not sure if it is best way to do it. So use it with caution :)
Good Luck!
Also found a similar post: Runtime class in java
No, you can not execute this code in your program.
I did a quick search and could not find anything on this topic. I am not even sure if this is possible, but I am curious.
Is it possible to compile a Java program on a server right before a user downloads the program. The application that I can think of for this would be to modify a program's source code on the fly before a user downloads it. This could be helpful in a setup where the program is modified based on user input or settings on a website and those changes are hard baked into the program so what they download is a stand alone program that is customized and fully portable. The other application I thought of would be if each user were to use a different feature combination in a program so it is compiled only with the feature set they need/want on the fly.
I have a few programs ideas that I could test this out with, but this is mostly an academic thought and curiosity of mine.
So long story short, does anyone know of any technologies that could make a system like this work?
Sure, it's possible.
Just let the download link point to some script, that compiles / packages the source and sends back the result. This can be implemented in, for instance PHP, in just a few lines of code. It's quite similar to captchas: On-the-fly generated unique data, retrieved through a URL.
I myself have thought about this idea for protocol obfuscation purposes and for "software registration key algorithm" generation.
I would however recommend you to factor out the parts which you want to be recompiled into a separate class / set of classes, compile only these, and package it with the rest of the (already compiled) program upon request.
I have written a library using the Compile API (comes with Java 6) to compile code in ememory but I would suggest you don't need to pre-generate code as anything you can do with generated code you can do with dynamic code. There can be a slight performance advantage, but I suggest you try doing what you need with dynamic code (i.e. code with loops, if statements and reflection) to do what your generated code would do first as this is alot simpler and likely to do what you want.
Even if you must have generated code, it is useful to write the code in a non-generated form first so you are clear as to what you need the code to do.