Skip to content

JEXL-465, JEXL-464, JEXL-463 : the 3.7.0 release improvements;#406

Merged
henrib merged 4 commits into
masterfrom
JEXL-465
Jun 27, 2026
Merged

JEXL-465, JEXL-464, JEXL-463 : the 3.7.0 release improvements;#406
henrib merged 4 commits into
masterfrom
JEXL-465

Conversation

@henrib

@henrib henrib commented Jun 26, 2026

Copy link
Copy Markdown
Contributor
  • SECURE permissions and hardened features become the default (no new, no global side-effects, no pragmas/annotations; lexical on, loops kept for scripts); add JexlBuilder.FULL and setDefaultFeatures to restore pre-3.7 behavior (JEXL-464)
  • add JexlConfigLoader to build an engine from YAML (JEXL-465)
  • add JexlPermissions.logging() to log allow/deny decisions; add SECURE constant (JEXL-463)

henrib added 2 commits June 26, 2026 15:14
- SECURE permissions and hardened features become the default (no new, no global
  side-effects, no pragmas/annotations; lexical on, loops kept for scripts); add
  JexlBuilder.FULL and setDefaultFeatures to restore pre-3.7 behavior (JEXL-464)
- add JexlConfigLoader to build an engine from YAML (JEXL-465)
- add JexlPermissions.logging() to log allow/deny decisions; add SECURE constant (JEXL-463)

@garydgregory garydgregory left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @henrib
I've made a superficial pass and added comments.

Comment thread src/main/java/org/apache/commons/jexl3/scripting/JexlScriptEngineFactory.java Outdated
Comment thread src/changes/changes.xml
Comment thread src/site/xdoc/index.xml Outdated
henrib added 2 commits June 26, 2026 19:20
- tighten SECURE/RESTRICTED to deny file, env, loader, thread access;
- add NONE deny-all base and create() factory;
- fix getClass() bypass in Permissions.allow(Class,Method);
- add JexlBuilder.setDefaultOptions();
- add security disclaimer in package-info.java and site index;
- raise coverage: JexlConfigLoader option flags, LoggingPermissions;
@henrib henrib requested a review from garydgregory June 26, 2026 17:53

@garydgregory garydgregory left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that the release notes are generated from changes.xml whenever I create a release candidate, so anything in there will be overwritten.

@henrib henrib merged commit e785beb into master Jun 27, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants