Skip to content

[4.x.x] Improve security and configurability of functions that access the Environment and System Properties #4449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 12 commits into
base: develop-4.x.x
Choose a base branch
from
Draft

[4.x.x] Improve security and configurability of functions that access the Environment and System Properties #4449

wants to merge 12 commits into from

Conversation

adamretter
Copy link
Contributor

@adamretter adamretter commented Jun 20, 2022
edited
Loading

This adds better security controls for accessing Environment Variables and Java System Properties.

  • Fixed the return cardinality type of fn:environment-variable#1.
  • fn:available-environment-variables#0 and fn:enviroment-variable#1 are now deterministic.
  • Added the function util:available-system-properties#0.
  • util:available-system-properties#0 and util:system-property#1 are now deterministic.
  • Allow access to specific Environment Variables when using fn:available-environment-variables#0 and fn:environment-variable#1 to be configured from conf.xml
  • Allow access to specific Java System Properties when using fn:available-system-properties#0 and fn:system-property#1 to be configured from conf.xml

adamretter added 11 commits June 20, 2022 15:52
@adamretter
[ignore] Reformat code
5f3b623
@adamretter
[ignore] Fix Typo
63472e9
@adamretter
[bugfix] Fix cardinality of return type for fn:environment-variable
f7276fb
@adamretter
[bugfix] fn:available-environment-variables and fn:environment-variab…
3e6375a 
…le should be deterministic within the execution scope
@adamretter
[bugfix] Make thread-safe
dee7ab9
@adamretter
[refactor] Rename class to ExistSystemProperties to make it clear the…
278f152 
…se are not Java System Properties
@adamretter
[refactor] Use constants for eXist-db System Properties
9bad18d
@adamretter
[bugfix] util:system-property should be deterministic within the exec…
fa7ecab 
…ution scope
@adamretter
[feature] Add the function util:available-system-properties#0
882124e
@adamretter
[feature] Allow access to specific Environment Variables when using f…
856ad49 
…n:available-environment-variables#0 and fn:environment-variable#1 to be configured from conf.xml
@adamretter
[feature] Allow access to specific Java System Properties when using …
595a99c 
…fn:available-system-properties#0 and fn:system-property#1 to be configured from conf.xml
@adamretter adamretter added bug issue confirmed as bug enhancement new features, suggestions, etc. labels Jun 20, 2022
@adamretter adamretter added this to the eXist-4.10.1 milestone Jun 20, 2022
@adamretter adamretter requested a review from a team June 20, 2022 22:35
@adamretter adamretter marked this pull request as ready for review June 21, 2022 15:00
ljo
ljo approved these changes Jun 21, 2022
View reviewed changes
Copy link
Member

@ljo ljo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@line-o line-o added the needs documentation Signals issues or PRs that will require an update to the documentation repo label Jun 21, 2022
This was referenced Jun 21, 2022
Draft
Draft
@line-o line-o removed the needs documentation Signals issues or PRs that will require an update to the documentation repo label Jun 22, 2022
@adamretter adamretter marked this pull request as draft August 15, 2022 17:46
@adamretter adamretter modified the milestones: eXist-4.10.1, eXist-4.11.1 Jan 11, 2023
@adamretter adamretter modified the milestones: eXist-4.11.1, eXist-4.11.3 Oct 17, 2024
@line-o
Copy link
Member

line-o commented Aug 3, 2025

I propose to close this PR without further action as exist-db v4 is EOL and no longer maintained

@line-o line-o added the close-without-action Proposed to be closed without further action. This will be voted on on the next community call. label Aug 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ljo ljo ljo approved these changes

Assignees

No one assigned

Labels

bug issue confirmed as bug close-without-action Proposed to be closed without further action. This will be voted on on the next community call. enhancement new features, suggestions, etc.

Projects

None yet

Milestone

eXist-4.11.3

Development

Successfully merging this pull request may close these issues.

3 participants

@adamretter @line-o @ljo