I seem to have found a sandbox escape

[Handonglin]

Normally, my code only allows reading all files, but I wrapped the execution of a dangerous command with AccessController.doPrivileged in a lambda, and it actually allowed the dangerous command to execute successfully.

[Geolykt]

Considering that the security manager is deprecated for removal anyways (and has actually already been removed in newer versions of java, iirc) - I am not exactly sure whether keeping sandbox features within janino makes any sense in the first place.

if it were left to me, that class is feature bloat

[Handonglin]

Considering that the security manager is deprecated for removal anyways (and has actually already been removed in newer versions of java, iirc) - I am not exactly sure whether keeping sandbox features within janino makes any sense in the first place.

if it were left to me, that class is feature bloat

People only learn to cherish what they have after losing it

[anders-steen-dige-madsen]

AccessController.doPriviledged() on java versions up to but not including 24 does the following (from the JEP: https://openjdk.org/jeps/486):

"In JDK 24, where a Security Manager is never enabled, the System::getSecurityManager and AccessController::doPrivileged methods behave as they did in JDK 17 when a Security Manager was not enabled:

System::getSecurityManager returns null, and
The six AccessController::doPrivileged methods execute the given action immediately."

[Geolykt]

AccessController.doPriviledged() on java versions up to but not including 24 does the following (from the JEP: https://openjdk.org/jeps/486):

"In JDK 24, where a Security Manager is never enabled, the System::getSecurityManager and AccessController::doPrivileged methods behave as they did in JDK 17 when a Security Manager was not enabled:

System::getSecurityManager returns null, and The six AccessController::doPrivileged methods execute the given action immediately."

That being said, this does not affect Versions such as Java 8 where a Security Manager could very well be configured (even if it is not enabled by default)

[anders-steen-dige-madsen]

AccessController.doPriviledged() on java versions up to but not including 24 does the following (from the JEP: https://openjdk.org/jeps/486):
"In JDK 24, where a Security Manager is never enabled, the System::getSecurityManager and AccessController::doPrivileged methods behave as they did in JDK 17 when a Security Manager was not enabled:
System::getSecurityManager returns null, and The six AccessController::doPrivileged methods execute the given action immediately."

That being said, this does not affect Versions such as Java 8 where a Security Manager could very well be configured (even if it is not enabled by default)

True, but the OP did not specify the java version used, so just to hammer home when this has changed behaviourally is good enough for posterity.