In this question's answers someone can find many sites (like ideone) allowing a user to write and run programs online. I'm interested in making something similar (only for Java code though) and was wondering on how can this be done.
A simple idea would be take user's given code, send it to server, compile it, run it and then send back the output to the user. But what if the user has malicious code like deleting my server files, etc.? If I wanted to create the same thing for the C programming language, I guess I could just get the assembly code of the C file, see what system calls are being used and decide whether the given code is malicious or not. Based on the previous idea, should I look in Java, the program's created bytecode? Is there any better/easier way to do it?
Don't reinvent the wheel, Java has the SecurityManager mechanism to restrict potentially malicious code
Reference
the Security Trail of the Java
Tutorial
Permissions in the Java™ SE 6
Development Kit (JDK)
In addition to what Sean Patrick Floyd said in his answer, you could also sandbox the process itself on your Operating System as an added measure. Create a new user on your host (the machine that executes the code) and assign it very few permissions (only what's required to run the code). Run the process as that user.
That way regardless of the SecurityManager present, the spawned process won't be able to harm anything.
Related
I made a Java (on IntelliJ IDEA) application and I want to give it to someone via USB or Dropbox.
However I don't want him to give it to someone else, like you know, he downloaded the file, so he can copy/paste it to his USB and give it to more people.
Is there any way to prevent the application from being copied after I give him the application? At first I thought of making a login window, but then I thought "hey, if he knows the password to login to application, he can just give the application to someone and give him the password as well", so login window is not an option (I think?). Can I disable the copy/cut functions with If statements after being copied once?
Or I can only prevent it by linking my application with a database and generating unique passwords to activate my application? Like for example, someone requested to use my application, so I will give him the application but he won't be able to run it. Then I generate a password and sent him the password. However that password can only be used once so if he will try to use the same password on 2 different PCs, it will give him an error. Is there any guide/tutorial/tips of making something like that on Java?
You could create some kind of "activation code" for your software that is generated based on some information about the hardware it's running on. I've seen some people using, for example, the MAC address, that you can obtain in a platform-independent way in Java.
However, keep in mind that those techniques will only work against the most basic users. MAC addresses can be easily changed by anyone that knows how to use Google and even if you use something incredibly complicated instead of MAC addresses, Java programs are dead simple to decompile and once the attacker knows what function is checking if the program is correctly activated, he/she can easily replace it. Yes, you can obfuscate your bytecode, but it only makes the task a little harder, not impossible.
You can do what you suggested and use passwords that can only be used once, but then your program needs to know that it has been activated, by storing that information somewhere (a file or something like that). And once the user knows where that information is stored, it can be replicated on other computers.
Unfortunately, once the user has your program, you have no control over what he/she can do. You can make sure that the user is not going to do stuff he/she is not supposed to do with your program by not giving him/her the program at all. You can, for example, expose your program's features through the web. But, as you said, nothing stops an user from sharing login credentials with another person. Yes, you could check if the user is accessing the page from a different IP address, but then a legitimate user could have problems when, for example, accessing your program from a different wifi network. And in this case, your protection not only fails in solving the problem, but also becomes annoying to a honest user.
In summary, brilliant engineers at huge software companies have been working on protections for their software for years and I'm yet to see a software that cannot be illegally activated given enough time and effort.
Disclaimer: I am not a professional developer; I'm just a hobbyist, and a relatively inexperienced one at that, so I apologize for what figure to be some very basic questions. (and yes, I've search the forums)
I've recently been working on a "deal finder" program which is written using a combination of Java and R. The basic steps that I've completed so far are:
Load data on various deals into Java using a particular eCommerce API
Write the data that I need to a series of text files
Load the data from the text files into R
Manipulate the data in R and assign a "score" to each deal
Sort by score to produce a ranked list of deals
Here's where I need help: I'm currently running the program manually by running my Java program in Eclipse and subsequently running the R script. This is obviously inconvenient (and also a bit addictive), so what I'd like to do instead is:
Run the program continuously or at some predefined interval (say every minute)
Send a notification to my iPhone or (if that's too difficult) my desktop whenever
there's a new deal whose score is above a certain threshold.
The problem: I have no idea where to begin with the two tasks above. My coding experience is limited to a bit of Java and math/stat languages like R and MATLAB. I have zero experience with web/mobile development, servers, etc., but I am willing to learn. What I'm hoping to get from this forum is not a completely specified solution, but instead just some general direction. If someone can give me a sense of how this should be done, how much work it would be, what language(s) I would need, etc., that would be immensely helpful.
Two more things I should probably mention: 1) This program is only for my personal use, so the resulting application, whether it be on my phone or desktop, can have very minimal functionality beyond the ability to send/receive notifications. 2) If it makes things easier, I think I can eliminate the dependency on R and write everything in Java.
Any help will be greatly, greatly appreciated.
Two more things I should probably mention: 1) This program is only for my personal use, so the resulting application, whether it be on my phone or desktop, can have very minimal functionality beyond the ability to send/receive notifications.
You may want to use a third-party notification app like Boxcar and its Provider API for this, then.
Depending on your operating system, there are programs that allow you to schedule tasks to run. Cron in Linux or Windows Task Scheduler for instance. You can easily find guides for these online.
Have you considered using email? Rather simple to do from java and wouldn't be platform specific.
I want to be able to input java commands/code to execute during run-time (during the execution of a "persistent" program) in the same way, or as close as possible, to the same code would be executed if it was present on the source-code for the program (programmed as part of the software), using a GUI element, like jTextArea.
The following StackOverflow questions seem to be related, but, along with they'r answers, don't seem to be what i'm looking for.
How To Get Input From Console Class In Java?
Using GUI for console input and outputin java
I don't want to "be able to trigger actions from specific console inputs, and print the feedback into the console", as seems to be the case of console applications described in those question and answers.
What i want is to "be able to execute actual java code, that i cannot predict nor control, from console (or GUI) input".
NOTE: The "i cannot predict nor control" here refers to the "developer"...But of course i can predict and "control" it if i'm the one inputting the code, as the "user" would do.
Since java uses a virtual-machine environment, i think it might be possible for it to execute "run-time inputted code"...But i'm not sure such thing is even possible.
For example, i'd like the run-time input of for(int i=0; i<3; i++){System.out.println(i);} in the "GUI console" (jTextArea, for example) to, upon pressing the enter key or clicking a "Send" button, be ("compiled and "?) executed, and give the same output as if it was part of the original source-code, thus:
0
1
2
So i'd like to know the following:
Is it possible?
If yes, how can i do it? (OR, if no, what is the closest alternative?)
Use the JavaCompiler. It can compile code from a String.
For an E.G. see the STBC & especially the source code. It provides a GUI and can compile the code in the text area on button click.
But note the:
System Requirements
STBC will run on any computer with a version 1.6+ Java Plug-In* JDK (AKA SDK).
(*) The API that STBC uses is merely a public interface to the compiler in the tools.jar that is distributed only with JDKs (though the 'public JRE' of the JDK also seems to acquire a tools.jar). This leads to some unusual requirements in running either the native jar, or the web start app.
You can use JavaCompiler, as this question's answer states:
https://stackoverflow.com/a/935316/420001
Also, what you're wanting to do is evaluate a String of code:
It's not really recommended though.
There is a project called BeanShell
"In short, BeanShell is dynamically interpreted Java, plus a scripting language and flexible environment all rolled into one clean package. "
I know this is an old answer but for future Googlers:
I would recommend JavaREPL whose source is available here:
https://github.com/albertlatacz/java-repl
What AlmightyR is asking for is called Read-Eval-Print-Loop (REPL) for the Java language which is what JavaREPL provides.
JavaREPL has an online demo available here: http://www.javarepl.com/console.html
JavaREPL also has an Intellij plugin and a CLI version which are both linked to in the Github repository.
It looks sort of abandoned currently but perhaps it just doesn't need to be maintained?
In my website my users will submit source code of languages by using a html form . I want to
compile and run this code belonging to different programming languages
like c,c++,java etc... on the server and return the output or errors to the webpage.
many clients upto 3000 submit such codes every week and i need to run them and show output.
I must need java and c++ language to work ,but other languages support is appreciated.
Ineed to implement this on my site codersadda.com where you can find programs and i want to show output for them
It sounds like you need a little front-end for the compiler to make it comply with something like FastCGI. The exact interface will depend on the web server you're using, but the general principle remains pretty close to constant -- invoke the compiler, capture its output and route it back to the server to be formatted as HTML and sent to the user.
Edit: sorry, the first time I read this, I didn't notice the "and run" part of the question. For that, nearly the only reasonable choice is to run the code in a virtual machine. Basically, set up a virtual machine and create a "snapshot" in its pristine state. Then for each program run, you'll restore the virtual machine from the snapshot, and run the user's program. The tricky part will be spawning a program to run inside the VM, and capture its output when it's done. I'd guess that's possible, but I've never tried to do it, so I'm not sure exactly how -- and even if I did know how, it probably varies from one VM to another anyway.
I'm currently developing a support system for a university. The system is written in PHP and I would like to be able to get a current list of software and basic computer information on a computer. Basically when one of the faculty or staff creates a ticket from our web interface, I would like to have a Java Applet or similar that could be run and would return the information to the help desk PHP script. Does something like this exist?
There are lots of programs that do this sort of thing. Googling for "CMDB" should give you a reasonable start -- a couple of them are open source, though others aren't even close to free (e.g., BMC Atrium).
To keep things closer to topical (i.e., programming related), one of the main frameworks for this sort of situation is called Web-Based Enterprise Management (WBEM). On Windows this is implemented as WMI. On Linux there are a couple of implementations including OpenWBEM and HP WBEM.
In Java? You'd probably have a hard time even finding, let alone making, an applet that can get that info without already having some software installed on the user's end. The biggest features of java are (1) that it runs in a virtual machine (read: getting to the underlying OS/hardware is not something it likes to do), and (2) that in a browser, applets generally run in a "sandbox" that keeps the applet from doing anything remotely dangerous. Basically the most it can do is tie up resources.
Number 2 can be worked around by signing the applet, but that'll require you either buy a code signing certificate or install a self-signed certificate on any computer that'll run your app.
Number 1 might be worked around with some help from Runtime.exec and ...\wmic.exe, but that assumes the WMI stuff is installed -- which is rarely the case unless someone does a full install.