@Test
public void test() throws Exception{
ScriptEngineManager manager = new ScriptEngineManager();
ScriptEngine engine = manager.getEngineByName("JavaScript");
JSONObject json = new org.json.JSONObject(org.apache.commons.io.FileUtils.readFileToString(new File("c:\\temp\\json.txt")));
String xx= json.optString("xx");
engine.eval("var yy = " + xx + ".yy;");
Object output = engine.get("yy");
}
json.txt喜欢
{
xx: {
inject1: "(function(){java.lang.Runtime.getRuntime().exit(0)})()",
yy: {
inject1: "something injected"
}
}
}
optString将返回双引号字符串,因此它对于eval函数是否绝对安全?