[
https://issues.apache.org/jira/browse/UNOMI-889?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Serge Huber reassigned UNOMI-889:
---------------------------------
Assignee: Serge Huber (was: Jerome Blanchard)
> Remove OGNL scripting support
> -----------------------------
>
> Key: UNOMI-889
> URL: https://issues.apache.org/jira/browse/UNOMI-889
> Project: Apache Unomi
> Issue Type: Sub-task
> Components: unomi(-core)
> Affects Versions: unomi-3.0.0
> Reporter: Serge Huber
> Assignee: Serge Huber
> Priority: Major
> Fix For: unomi-3.1.0
>
>
> h2. Remove OGNL Usage from Unomi
> h3. Description
> Apache Unomi currently uses OGNL (Object Graph Navigation Language) which has
> been deprecated since version 1.5.2. This dependency poses significant
> security risks and has been deactivated by default since its deprecation.
> Additionally, it's causing compatibility issues with Java 17. We need to
> completely remove OGNL usage from the codebase, including all references in
> configuration, documentation, and automated tests.
> h3. Current Situation
> * OGNL version 3.4.3 is currently used in the project (as seen in pom.xml)
> * OGNL is deprecated since version 1.5.2
> * Security vulnerabilities associated with OGNL usage
> * Compatibility issues with Java 17
> * OGNL is deactivated by default since deprecation
> * Project already has a comprehensive hardcoded property resolver
> implementation
> h3. Impact
> * Security vulnerabilities in the application
> * Potential compatibility issues with newer Java versions
> * Maintenance overhead for deprecated technology
> * Risk of security breaches due to OGNL's known vulnerabilities
> h3. Proposed Solution
> 1. Remove OGNL dependency from pom.xml
> 2. Replace OGNL expressions with existing hardcoded property resolver:
> * Use the current comprehensive property resolver implementation
> * Expand the property resolver implementation if additional functionality
> is needed
> * Avoid introducing new scripting languages or expression evaluators to
> prevent new security vulnerabilities
> 3. Update all configuration files that reference OGNL
> 4. Update documentation to remove OGNL references
> 5. Update and modify automated tests that use OGNL
> 6. Add migration guide for users who might be using OGNL expressions
> h3. Technical Tasks
> # Remove OGNL dependency from pom.xml
> # Search and replace OGNL usage in:
> ** Configuration files
> ** Source code
> ** Test files
> ** Documentation
> # Expand existing property resolver implementation if needed
> # Update test cases to use property resolver
> # Create migration guide for users
> h3. Dependencies
> * No new dependencies required
> * Will remove OGNL dependency
> h3. Testing Requirements
> * Unit tests for property resolver functionality
> * Integration tests to ensure functionality
> * Security tests to verify removal of vulnerabilities
> * Performance tests to ensure no degradation
> h3. Documentation Updates
> * Update configuration documentation
> * Update API documentation
> * Create migration guide
> * Update examples and tutorials
> h3. Security Considerations
> * Ensure no security vulnerabilities are introduced during migration
> * Verify all property resolution is properly sanitized
> * Document security best practices for property resolver usage
> h3. Migration Guide Requirements
> * List of deprecated OGNL features
> * Property resolver alternatives for each OGNL feature
> * Code examples for migration
> * Common pitfalls and how to avoid them
> h3. Acceptance Criteria
> * All OGNL dependencies removed from pom.xml
> * No OGNL references in configuration files
> * No OGNL usage in source code
> * All tests passing with property resolver
> * Documentation updated and migration guide created
> * Security review completed
> * Performance benchmarks show no degradation
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
