Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Won't Do
-
3.2.6
-
None
-
None
Description
Allowing the processing of remote scripts in Gremlin Server has important security issues that should be considered when deploying it. While we have documentation that explains the issue of "scripts" we could also consider the ability for Gremlin Server to be configured in a fashion where it only allowed bytecode based processing. Obviously, this approach has some drawbacks as the Gremlin Console would no longer work with this configuration turned on (users would have to user remote traversals/bytecode from the console to connect to their graph).
Eventually, we could probably have Gremlin Server running in this fashion by default/out-of-the-box, but we'd have to reserve that approach for when a breaking change was allowed in versioning (at this point 3.4.x).
Attachments
Issue Links
- links to