Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: rehack/APIJSON
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: master
Choose a base ref
...
head repository: Tencent/APIJSON
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 5 commits
  • 2 files changed
  • 2 contributors

Commits on May 16, 2026

  1. fix(security): unsandboxed jsr223 script execution enables arbitr 

    JSR223ScriptExecutor.load() compiles arbitrary script strings via Compilable.compile() and execute() runs them via eval() with no ClassFilter, sandbox, or restricted ScriptContext. The bindings expose `_meta`, `args`, and `extParam`, but Nashorn/JS engines by default give scripts full access to Java reflection (e.g., Java.type('java.lang.Runtime').getRuntime().exec(...)). Comments in Operation.java explicitly warn 'JDK 8~13 可用自带 Nashorn 这个 js 引擎,注意配置 ClassFilter 防脚本注入攻击', but no ClassFilter is configured here. If script content is sourced from a database row, request payload, or any user-influenced channel (which the IF/CODE Operation suggests), this becomes RCE.

Affected files: JSR223ScriptExecutor.java

Signed-off-by: Nguyen Van Nam <nam.nv205106@gmail.com>
    @Nam0101
    Nam0101 committed May 16, 2026
    Configuration menu
    Copy the full SHA
    441e1fa View commit details
    Browse the repository at this point in the history

  2. fix: resolve Tencent#853 — [Feature] 8.x版本没有Demo吗 

    Fixes Tencent#853

Signed-off-by: Nguyen Van Nam <nam.nv205106@gmail.com>
    @Nam0101
    Nam0101 committed May 16, 2026
    Configuration menu
    Copy the full SHA
    bf4ef18 View commit details
    Browse the repository at this point in the history

Commits on May 24, 2026

  1. add default ClassFilter for script execution, thx to Nam0101

    @TommyLemon
    TommyLemon authored May 24, 2026
    Configuration menu
    Copy the full SHA
    40de470 View commit details
    Browse the repository at this point in the history

  2. readme: replace version to latest, thx to Nam0101 Tencent#859 

    Tencent#859
    @TommyLemon
    TommyLemon authored May 24, 2026
    Configuration menu
    Copy the full SHA
    a009c85 View commit details
    Browse the repository at this point in the history

  3. doc: replace version to latest, thx to Nam0101 Tencent#859 

    Tencent#859
    @TommyLemon
    TommyLemon authored May 24, 2026
    Configuration menu
    Copy the full SHA
    e0a222d View commit details
    Browse the repository at this point in the history
Loading