Google Git
Sign in
apache / unomi / 343d24f27b1790701225711491e967bd3e2111c8
commit343d24f27b1790701225711491e967bd3e2111c8[log] [tgz]
authorSerge Huber <shuber@jahia.com>Thu Aug 20 15:07:40 2020 +0200
committerGitHub <noreply@github.com>Thu Aug 20 15:07:40 2020 +0200
tree247fc8508b233d8e556b8adf745299bd84f925be
parent7c8144a589df75487512b1c920ad3ba145ff9b18 [diff]
Improve scripting security (#179)

* Improve scripting security:
- OGNL is now disabled by default as it wasn't really used much (possible to reactive through a system setting)
- A new condition sanitizer has been added in the ContextServlet to filter out any MVEL scripts (again not used much and can be reactivate using a system property)
- A new ExpressionFilter has been added that will use configurable (system property) regular expressions to filter out possible malicious expressions
- OGNL sandboxing has been improved
- MVEL default imports have been modified to prevent using system-level classes

* Fix bug in sanitizing code

* New scripting execution sub-system:
- Allow-listing of allowed expressions
- Plugins may deployed their own allow-lists using JSON files
- OGNL scripting is now deactivated by default
- Minimal list of built-in MVEL allowed patterns

* Fix typo in marker
38 files changed
tree: 247fc8508b233d8e556b8adf745299bd84f925be
  1. api/
  2. common/
  3. docker/
  4. extensions/
  5. graphql/
  6. itests/
  7. kar/
  8. lifecycle-watcher/
  9. manual/
  10. metrics/
  11. package/
  12. performance-tests/
  13. persistence-elasticsearch/
  14. persistence-spi/
  15. plugins/
  16. rest/
  17. samples/
  18. scripting/
  19. services/
  20. src/
  21. tools/
  22. wab/
  23. .gitignore
  24. buildAndRun.sh
  25. buildAndRunNoTests.sh
  26. BUILDING
  27. compileDeploy.sh
  28. generate-package.sh
  29. generate-site-and-upload.sh
  30. generate-site.sh
  31. KEYS
  32. LICENSE
  33. license-mappings.xml
  34. MERGING-PULL-REQUESTS
  35. NOTICE
  36. NOTICE.template
  37. pom.xml
  38. README.md
  39. release-audit.sh
  40. setenv.sh
  41. update-notice.sh
README.md

Build Status Maven Central

Apache Unomi

Apache Unomi stores user profile information and is mostly used to provide a backend server for A/B testing and personalization. To do so it implements the currently under development OASIS Context Server specification.

License

The source code is available under the Apache License V2

Documentation

You can find all the updated documentation, including building and deployment instructions, on the Apache Unomi web site.