Hi Davide, Thanks for your interest and the detailed analysis. Here are the quick answers to your questions:
Current Sandbox: HugeGraph currently does not have a built-in sandbox mechanism. We rely on an external Groovy open-source project for isolation rather than a native/built-in implementation. AST Whitelist: It’s worth exploring, but please pay special attention to the potential performance impact this might introduce. Good First Issues: You can browse the current issue list or try using DeepWiki to find suitable tasks. To be honest, we need to spend more time curating the "good first issue" list for newcomers, but it has been delayed due to our limited bandwidth recently. Feel free to dive into the code, and we look forward to your proposal! Best regards, Imba Jin - Apache HugeGraph PMC member On 2026/03/26 09:40:15 Davide Polato wrote: > Hi everyone, > > I'm Davide, a CS student and contributor to Apache StormCrawler. I'm > planning to apply for the GSoC 2026 project regarding the Core Query Engine > upgrade. > > I've started exploring the codebase to understand the current > Gremlin/Groovy security execution layer. The proposal mentions a > HugeGraphSecurity component. I found HugeGraphGremlinPlugin and some > auth-related classes (like HugeFactoryAuthProxy) under > org.apache.hugegraph.auth, but I couldn't clearly identify which component > is currently responsible for the sandbox isolation — could you point me in > the right direction? > > Regarding the reflection bypasses (like the one in CVE-2024-27348), I was > reading up on Groovy 4 features. Instead of relying only on runtime > permission checks, do you think it would make sense for my proposal to > explore a compile-time AST-level whitelist (maybe using something like > SecureASTCustomizer)? I also noted the target is to bump TinkerPop from the > current 3.5.1 baseline up to 3.7+. > > Before working on the proposal draft, I'd like to pick up a "good first > issue" to get familiar with the repo and the workflow. Are there any open > tasks related to the core engine or tests that you'd recommend starting > with? > > Thanks for your time, > Davide (@dpol1 <https://github.com/dpol1>) >
