Hi everyone, I'm Davide, a CS student and contributor to Apache StormCrawler. I'm planning to apply for the GSoC 2026 project regarding the Core Query Engine upgrade.
I've started exploring the codebase to understand the current Gremlin/Groovy security execution layer. The proposal mentions a HugeGraphSecurity component. I found HugeGraphGremlinPlugin and some auth-related classes (like HugeFactoryAuthProxy) under org.apache.hugegraph.auth, but I couldn't clearly identify which component is currently responsible for the sandbox isolation — could you point me in the right direction? Regarding the reflection bypasses (like the one in CVE-2024-27348), I was reading up on Groovy 4 features. Instead of relying only on runtime permission checks, do you think it would make sense for my proposal to explore a compile-time AST-level whitelist (maybe using something like SecureASTCustomizer)? I also noted the target is to bump TinkerPop from the current 3.5.1 baseline up to 3.7+. Before working on the proposal draft, I'd like to pick up a "good first issue" to get familiar with the repo and the workflow. Are there any open tasks related to the core engine or tests that you'd recommend starting with? Thanks for your time, Davide (@dpol1 <https://github.com/dpol1>)
