Skip to content

Make Execution of Script in SecureContext configurable #253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AFaust merged 2 commits into from
Jul 28, 2025
Merged

Make Execution of Script in SecureContext configurable #253

AFaust merged 2 commits into from
Jul 28, 2025

Conversation

@simonholzapfel
Copy link
Contributor

@simonholzapfel simonholzapfel commented Jul 24, 2025

CHECKLIST

We will not consider a PR until the following items are checked off--thank you!

  • There aren't existing pull requests attempting to address the issue mentioned here
  • Submission developed in a feature branch--not master

CONVINCING DESCRIPTION

This small change makes it configurable whether scripts executed in the JavaScript-Console should run in a secure context or not, with the default configuration not affecting the original behaviour.
This way, for example, the usage of java.* Packages like java.lang.Runtime can be prevented by setting the new property ootbee-support-tools.js-console.scriptContext.secure from the default value true to false.

RELATED INFORMATION

Fixes #

@AFaust
Copy link
Contributor

AFaust commented Jul 24, 2025

This config property in the backend can make sense if the system overall should be secured, i.e. even admins should be heavily restricted in what they can do with the JavaScript Console.
My immediate thought was that this could also be a "per-request" parameter in the UI, like the "run like crazy" feature. This would allow an admin to selectively run a script with secure context, i.e. to test if it would work the same way before setting it up as a rule in a secure context. With a UI parameter, we could also use this in the dynamic tern generation to potentially limit the scope of type definitions we expose.

An interesting PR - I had not considered that yet, thanks. I might merge it as-is and potentially set up an issue for the UI parameter as a later enhancement (backend flag would remain with such a later change as a global guard / forced-secure flag)

@simonholzapfel
Copy link
Contributor Author

simonholzapfel commented Jul 24, 2025

Thank you!
For our use case it's essential that this parameter is constant system wide and not overridable on the fly.
This way we can facilitate further debugging on a DEV Stage while preventing the execution of potentially dangerous code on PROD as is required for us.

@AFaust AFaust self-assigned this Jul 25, 2025
@AFaust AFaust self-requested a review July 25, 2025 14:44
AFaust
AFaust requested changes Jul 25, 2025
View reviewed changes
Copy link
Contributor

@AFaust AFaust left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved in principle - I only ask to consider renaming the configuration property to a more easily understandable one. I'd do the change myself before merging if the PR allowed pushing changes to the branch.

@AFaust AFaust added this to the 1.3.0.0 milestone Jul 25, 2025
@simonholzapfel simonholzapfel requested a review from AFaust July 28, 2025 08:21
@AFaust AFaust merged commit a4a453f into OrderOfTheBee:master Jul 28, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AFaust AFaust AFaust approved these changes

Assignees

@AFaust AFaust

Labels

None yet

Projects

None yet

Milestone

1.2.3.1

Development

Successfully merging this pull request may close these issues.

2 participants

@simonholzapfel @AFaust