1. Java Developer's Guide
  2. DBMS_JAVASCRIPT Package

B DBMS_JAVASCRIPT Package

The DBMS_JAVASCRIPT package provides a PL/SQL procedure for running DBMS-residing JavaScript code from location identified by its argument.

This chapter contains the following topics:

B.1 DBMS_JAVASCRIPT Overview

The DBMS_JAVASCRIPT package is AUTHID CURRENT_USER package and provides a single procedure RUN, for running JavaScript code. RDBMS users maintain their JavaScript code in RDBMS as Java resource objects stored in their respective schemas.

You can create scripts in your schemas in either of the following two ways:

  • Using the loadjava tool or calling the dbms_java.loadjava procedure

  • Using CREATE [OR REPLACE] JAVA RESOURCE command

B.1.1 The RUN Procedure

This procedure invokes Java code that locates a Java resource with its name provided as the script_name argument. It then submits its content for syntax and semantic analysis, compilation, and evaluation by the Nashorn JavaScript compiler and runtime engine.

Prior to execution, Nashorn code is compiled to Java bytecodes.

Syntax

procedure run(script_name varchar2);

You can call this procedure in the following way:

call dbms_javascript.run('my_script.js');

Note:

  • To run this procedure, you must have the DBJAVASCRIPT role granted.

  • The DBMS_JAVASCRIPT.RUN procedure does not run the text of JavaScript and does not look for scripts in the file system. A Java resource name is the only valid input for this procedure.

B.2 DBMS_JAVASCRIPT Security Model

In order to be able to run JavaScript code, RDBMS users must be granted the role DBJAVASCRIPT.

The argument to the DBMS_JAVASCRIPT.RUN procedure must be a string identifying a valid Java resource that was previously loaded into the user’s own schema. The procedure rejects the following arguments among others:

  • Open-coded scripts

  • File paths

  • URLs

These restrictions are important to prevent the users from writing PL/SQL code, which builds scripts from fragments that may become implicated in JavaScript injection attacks. The scripting mode extensions of Nashorn engine invoked by the DBMS_JAVASCRIPT.RUN procedure are unconditionally disabled and no one including the SYS user can run them. The engine instantiation and use are dependent on the oracle.DbmsJavaScriptUser permission grant. Also, all the Nashorn-related APIs are in the restricted package space of Oracle JVM, and class filtering is applied unconditionally when scripts attempt to load Java classes. The class filtering achieves the following:

  • Rejects any class that fails the Java package access checks as governed by SecurityManager

  • Unconditionally restricts the packages java.security, java.lang.reflect, and oracle.aurora.rdbms.security for loading by any user

The DBJAVASCRIPT role is used by DBAs to administer JavaScript usage in the database. The role is granted a sole grant, which is a oracle.DbmsJavaScriptUser permission.