Package com.lucidworks.apollo.util
Class GraalVmScriptEngineFactory
java.lang.Object
com.lucidworks.apollo.util.GraalVmScriptEngineFactory
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Stringstatic final org.graalvm.polyglot.HostAccess -
Method Summary
Modifier and TypeMethodDescriptionstatic org.graalvm.polyglot.ContextBuilds a fully isolated context with maximum security restrictions.static org.graalvm.polyglot.Contextstatic org.graalvm.polyglot.Context.BuilderCreates an isolated context builder with maximum security restrictions.static org.graalvm.polyglot.Context.BuilderReturn the context preconfigured to be compatible with nashorn engine as much as possible.static org.graalvm.polyglot.EngineCreates Javascript Engine.static StringgetWrappedScript(String template, String script, com.fasterxml.jackson.databind.ObjectMapper objectMapper) Takes in the wrapper template and the script and returns the converted scriptisolatedPackageLookup(String... packages) Creates a highly restrictive package lookup for isolated mode that blocks: - Network access (java.net, javax.ws, jakarta.ws, HTTP clients) - System access (System.getenv, Runtime, ProcessBuilder) - File I/O (java.io) - Reflection (java.lang.reflect) - Any potential K8s environment access This mode only allows safe basic types and pipeline-specific classes.packageLookup(String... packages)
-
Field Details
-
GRAALVM_ENGINE
- See Also:
-
HOST_ACCESS
public static final org.graalvm.polyglot.HostAccess HOST_ACCESS
-
-
Method Details
-
createNewJavascriptEngine
public static org.graalvm.polyglot.Engine createNewJavascriptEngine()Creates Javascript Engine. Engine is thread safe, in contrast to context. Engine is cashing the compiled code.Engine should be closed after it is no longer needed.
- Returns:
-
packageLookup
-
isolatedPackageLookup
Creates a highly restrictive package lookup for isolated mode that blocks: - Network access (java.net, javax.ws, jakarta.ws, HTTP clients) - System access (System.getenv, Runtime, ProcessBuilder) - File I/O (java.io) - Reflection (java.lang.reflect) - Any potential K8s environment access This mode only allows safe basic types and pipeline-specific classes. -
getWrappedScript
public static String getWrappedScript(String template, String script, com.fasterxml.jackson.databind.ObjectMapper objectMapper) throws com.fasterxml.jackson.core.JsonProcessingException Takes in the wrapper template and the script and returns the converted script- Throws:
com.fasterxml.jackson.core.JsonProcessingException
-
createNashornCompatibleContext
public static org.graalvm.polyglot.Context.Builder createNashornCompatibleContext()Return the context preconfigured to be compatible with nashorn engine as much as possible.By default disallows to lookup any classes. Use allowHostClassLookup method to change it. Consider to set and share the same Engine if possible.
- Returns:
- nsahorn frindly GraalVM JS context
-
buildSimpleContext
public static org.graalvm.polyglot.Context buildSimpleContext() -
createIsolatedContext
public static org.graalvm.polyglot.Context.Builder createIsolatedContext()Creates an isolated context builder with maximum security restrictions. This context prevents: - I/O operations (file system access) - Environment variable access (prevents K8s environment access) - Thread creation - Native code access - Network requests (via class filtering) - System property access (via class filtering) Use this mode when executing untrusted scripts that should have no access to the external environment or system resources.- Returns:
- isolated context builder with security restrictions
-
buildIsolatedContext
public static org.graalvm.polyglot.Context buildIsolatedContext()Builds a fully isolated context with maximum security restrictions. Combines isolated context builder with isolated package lookup to prevent any access to network, file system, environment variables, or system resources. This is the recommended method for executing untrusted user scripts.- Returns:
- isolated context with all security restrictions enabled
-