I'm looking for ways to restrict plugin code in Java since the Security Manager was deprecated in Java 17 and 21. Previously, we relied on it to limit certain permissions for plugins, but now I need alternatives to ensure plugins can't access sensitive operations like System.exit(). I know some software like IDEs handle this, but how do they prevent plugins from executing dangerous code? I'm open to any suggestions, including bytecode manipulation options, but there must be other methods to consider as well. Thanks for any insights!
5 Answers
Check out JEP 486 for an example of managing security without a Security Manager. It's not a complete solution but offers insights into how you might block certain exit calls effectively. For more comprehensive blocking, you might find the GitHub repo RealBlockSystemExitAgent helpful; it provides a solid implementation for managing exit calls more thoroughly, though implementing it can get complicated if you're scaling up security.
Have you thought about using Groovy’s SecureASTCustomizer? It's not perfect, but it does restrict virtually all method calls and class loading, which can help protect against unwanted access in your plugins.
Most plugin systems just run the plugin code with the same permissions as the main application because many plugins need access to the network and filesystems to function. They often rely on the trustworthiness of the source rather than strict sandboxing. Running untrusted code in isolation can be really tough, especially since many IDEs require those permissions. The best thing you can do is ensure your code comes from a trusted place instead of trying to limit permissions in the same JVM.
Right, limiting access could help with some things, but it doesn't cover everything.
Bytecode manipulation can work at deployment time or via a runtime agent, but beware! It can slow down your application. Some methods only work in simple scenarios because reflection is a factor to contend with.
That's a valid point, I'd imagine it could get messy pretty quickly.
I created a library called WiseLoader that allows only certain classes to be loaded by plugins, effectively whitelisting safe classes and blocking potentially harmful ones. You can use it to create an interface for plugins while controlling accessible methods and classes. It worked well for my use case, but it might be limiting depending on your needs. Just a caution, it hasn't been tested extensively yet!
This looks promising, but we need something more nuanced for real plugin scenarios.
That repo seems like a great start, but it looks challenging to apply broadly!