XPages: SSJS & How you can have fun at the office

This article is a demonstration of what harmful things you can do when using the SSJS & prototyping wrong (described here by the great Mark Roden). Don’t do that! Especially not on a productive server!
 

Wanna have a lot of fun in the office with the other developers? Just overwrite some global SSJS functionality! They will never find out what happend to their applications!

 

This is the application we destroy

Our demonstration application uses a small Java class which has only a single method:

package ch.hasselba.xpages;

public class Demo {

    public String foo() {
       return "bar";
    }
 }

This class is used for a label on our XPage and is loaded with the importPackage functionality of SSJS:

<?xml version="1.0" encoding="UTF-8"?>
<xp:view
    xmlns:xp="http://www.ibm.com/xsp/core">

    <xp:label
        id="labelDemo">
        <xp:this.value>    
            <![CDATA[#{javascript:
                importPackage( ch.hasselba.xpages );
                return new ch.hasselba.xpages.Demo().foo();}]]>
        </xp:this.value>
    </xp:label>

</xp:view>

When opening the XPage, nothing special happens, the label is filled with the value „bar“:

Now let’s destroy it!

Add a button on the XPage, containing a single line of SSJS code…

<xp:button
        value="Click Me"
        id="button1">
        <xp:eventHandler
            event="onclick"
            submit="true"
            refreshMode="complete">
            <xp:this.action>
                <![CDATA[#{javascript:prototype.importPackage = null;}]]>
            </xp:this.action>
        </xp:eventHandler>
    </xp:button>

… and reopen the XPage:

Question: What will happen if you click the button?

Answer:

Exactly: The method is destroyed on the whole server! Every XPage which imports a Java package with SSJS will not work anymore. Only a complete server restart helps now. The error message you will receive won’t help you, because it looks like the Java classes could not be found. Now „help“ the other developers with tips like „Maybe a build problem? Have you tried to clean the application?“.

P.S. You can execute the code on other ways, f.e, with an eval statement, or a method binding of your choice.

Tested on ND 8.5.3 & ND 9.0

Dieser Beitrag wurde unter ServerSide JavaScript abgelegt und mit , , , , , verschlagwortet. Setze ein Lesezeichen auf den Permalink.

5 Antworten zu XPages: SSJS & How you can have fun at the office

  1. Thanks for this Post..

    Another reason why i avoid SSJS like the plague.. Altough XPages Java can cause server crashes too, if used wrong 🙂

    • Sure, you can crash the server on different ways. But the point is, that you can overwrite existing functionality and this could affect other applications too.
      This is a simple demonstration for crashing other applications, but with this „technique“ you can do a lot of other bad things…

  2. Perhaps prototype a new function on prototype in SSJS to avoid these issues 🙂

  3. A more interesting implementation might be to overload importPackage to also import another package of your choosing as well as the originally requested package. Bonus points if the package you loaded were sourced from a URL at, say, Dropbox.

  4. Pingback: XPages: Bindings, SSJS, EL and Bindings | blog@hasselba.ch

Schreibe einen Kommentar zu Nathan T Freeman Antworten abbrechen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.