Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove easyrules #527

Open
mosabua opened this issue Oct 16, 2024 · 2 comments · May be fixed by #540
Open

Remove easyrules #527

mosabua opened this issue Oct 16, 2024 · 2 comments · May be fixed by #540

Comments

@mosabua
Copy link
Member

mosabua commented Oct 16, 2024

Currently Trino Gateway uses easyrules https://github.com/j-easy/easy-rules to allow custom routing rule definition.

While this is very flexible and powerful the project has gone stale and unmaintained.

In addition there is a severe security issue https://nvd.nist.gov/vuln/detail/CVE-2023-50571
even though that relies on a insecure class being loaded and used as part of rule validation. Since dynamic loading of such classes is not part of Trino Gateway this most likely does not apply.

We should remove easy-rules usage and find alternatives. We also discussed declaring rules in a scripting language (or even plain java). In any case .. we will have to figure out security aspects around all that.

Options might be:

@willmostly
Copy link
Contributor

Agreed that calling this CVE a High is a stretch....
Looks like mvel has addImport methods for controlling which classes are available, so it may not be affected by the linked CVE.

With either mvel or jexl we'll need to reimplements the rule wrappers & prioritization provided by easy-rules, so we should evaluate both options. I think it will be similar effort either way

@mosabua
Copy link
Member Author

mosabua commented Oct 16, 2024

We should also check with airlift and trino projects if there are any recommendations

@willmostly willmostly linked a pull request Oct 30, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging a pull request may close this issue.

2 participants