You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While this is very flexible and powerful the project has gone stale and unmaintained.
In addition there is a severe security issue https://nvd.nist.gov/vuln/detail/CVE-2023-50571
even though that relies on a insecure class being loaded and used as part of rule validation. Since dynamic loading of such classes is not part of Trino Gateway this most likely does not apply.
We should remove easy-rules usage and find alternatives. We also discussed declaring rules in a scripting language (or even plain java). In any case .. we will have to figure out security aspects around all that.
Agreed that calling this CVE a High is a stretch....
Looks like mvel has addImport methods for controlling which classes are available, so it may not be affected by the linked CVE.
With either mvel or jexl we'll need to reimplements the rule wrappers & prioritization provided by easy-rules, so we should evaluate both options. I think it will be similar effort either way
Currently Trino Gateway uses easyrules https://github.com/j-easy/easy-rules to allow custom routing rule definition.
While this is very flexible and powerful the project has gone stale and unmaintained.
In addition there is a severe security issue https://nvd.nist.gov/vuln/detail/CVE-2023-50571
even though that relies on a insecure class being loaded and used as part of rule validation. Since dynamic loading of such classes is not part of Trino Gateway this most likely does not apply.
We should remove easy-rules usage and find alternatives. We also discussed declaring rules in a scripting language (or even plain java). In any case .. we will have to figure out security aspects around all that.
Options might be:
The text was updated successfully, but these errors were encountered: