disable javascript execution by default

[himanshug]

most users don't use javascript but still have it enabled because it happens to be default behavior and are surprised that it is enabled by default even with severe security threat.

with 0.10.0, we can disable javascript by default.

[gianm]

Pretty bold @himanshug :)

There should be a doc change for this too, at least to javascript.md and probably a few other files. Maybe also add a property druid.javascript.enable so the config to enable javascript doesn't look so goofy (druid.javascript.disable=false is a double negative and looks weird). If you do that then there should be something verifying that the two properties match up if they're both defined.

That all being said, I'm not sure how I feel about making this change. JavaScript being off by default appeals to me because it's generally not recommended except for prototyping, and is not sandboxed at all (which, even though documented, is likely surprising to users). But I am also reticent to go buck wild with incompatible changes. I'll go along with whatever the consensus is though.

[pjain1]

I am 👍 with the changes. I agree with Gian, I think we can just have an enable or enabled property and we can keep getDefault() method in addition to getEnabled() which would have enable set to false.

[gianm]

I did a double-take on this, thinking it was a method getting whether or not something was enabled. getEnabledInstance() or enabledInstance() would probably be clearer.

[himanshug]

changed

[himanshug]

@gianm I can make all the other doc updates etc , if we conclude that it makes sense to disable javascript by default. yes, it is backward incompatible and that is why 0.10.0 would be the right time to do it.
m adding the discuss tag on it.

[jon-wei]

I think having javascript disabled is a good default, and IMO it doesn't impose a huge incompatibility transition cost on users (just add the enable property to the config)

Also agree on flipping the setting name from druid.javascript.disabled to druid.javascript.enabled

[himanshug]

@gianm @jon-wei @pjain1 switched config name from "disabled" to "enabled" and updated javascript.md docs

[pjain1]

👍

[fjy]

👍

[jon-wei]

a secured production environments -> remove the a

[himanshug]

@jon-wei updated

[jon-wei]

Had a minor comment on doc wording, otherwise 👍

[gianm]

Looks good, but can I request we keep this open until next weeks dev sync?

[gianm]

"arbitrary"

[vogievetsky]

👎 booo JavaScript makes the world go round. There are a number of cool things in Plywood that would stop working if JavaScript was disabled.

[vogievetsky]

The specific things that JS is used for as a gap filler are:

• Aggregations over dimensions (Allow aggregators to work on dimensions #3004)
• Applying a boolean predicate (filter) as an extractionFn i.e. GROUP BY x == "lol"
• Applying cool functions like ABS and POWER
• Doing expression transformation within aggregates like SUM(x * y)
• Certain time manipulations (Add timePart extractionFn (Or make timeFormat more useful) #1877) that are currently done like so:

$("time").timePart('SECOND_OF_DAY', 'Etc/UTC')

=>

{
  "dimension": "__time",
  "extractionFn": {
    "function": "function(s){try{\nvar d = new org.joda.time.DateTime(s);\nd = d.getSecondOfDay();\nreturn d;\n}catch(e){return null;}}",
    "type": "javascript"
  },
  "outputName": "Time",
  "type": "extraction"
}

[himanshug]

@vogievetsky those are compelling reasons to have js enabled on cluster ( and by default specially for Pivot users)
couldn't discuss this one today, will conclude it in next sync-up.

[himanshug]

so, we discussed both options in the dev sync and concluded that it should be secure by default and by making users explicitly enable it, they will know the risks versus current default where users have it enabled inadvertently and not even using the JS features.

[himanshug]

this was discussed again today and still concluded to go ahead and disable javascript by default. @fjy @gianm

[gianm]

Ok, that sounds fair @himanshug. One request I have is to edit the docs for the "javascript" things to point out that it's disabled by default, otherwise users might get confused when the things they read about in the docs don't work. One way to do this is to change the info note that is next to all the javascript things to something like:

<div class="note info">
JavaScript-based functionality is disabled by default. Please refer to the Druid
<a href="../development/javascript.html">JavaScript programming guide</a> for
guidelines about using Druid's JavaScript functionality, including instructions on
how to enable it.
</div>

[gianm]

If you search in the docs for "JavaScript programming guide" you should then find all the boxes.

[himanshug]

@gianm docs for "JavaScript programming guide" are updated.

[gianm]

👍 LGTM

@himanshug I am OK with this patch as-is after fixing conflicts