turanalmammadov opened a new pull request, #4036: URL: https://github.com/apache/hertzbeat/pull/4036
Closes #3542 ## What's Changed? Added comprehensive documentation page about H2 database usage in HertzBeat, clearly communicating that it is **testing-only and not for production** environments. ## Why This Matters H2 has a critically dangerous feature (`CREATE ALIAS`) that allows arbitrary Java code and shell command execution. Without proper documentation, users may unknowingly deploy HertzBeat with H2 in production, creating severe security vulnerabilities. ## Documentation Coverage ### 🔴 Security Risks - Explains H2 `CREATE ALIAS` arbitrary code execution - Shows concrete dangerous SQL example - Network exposure risks (ports 8082, 9092) - What attackers can do if H2 is accessible ### ✅ Appropriate Use Cases - Local development - CI/CD automated testing - Demos and evaluations ### 🚫 Inappropriate Use Cases - Production deployments - Multi-user environments - Internet-accessible instances ### 🔒 Migration Guide - **MySQL migration**: Complete SQL + YAML configuration - **PostgreSQL migration**: Complete SQL + YAML configuration - **Temporary hardening** if migration is delayed ### 📋 Production Security Checklist 8-point checklist ensuring production readiness ## Files Added - `home/docs/help/h2.md` (English) - `home/i18n/zh-cn/.../h2.md` (Chinese) ## Format Follows existing MySQL/MariaDB documentation structure, prominently displays critical security warning at the top. Signed-off-by: Turan Almammadov <[email protected]> Made with [Cursor](https://cursor.com) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
