Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: Tencent/APIJSON
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 8.1.8
Choose a base ref
...
head repository: Tencent/APIJSON
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref
  • 9 commits
  • 4 files changed
  • 3 contributors

Commits on May 16, 2026

  1. 新增文章 省心省力的后端神器——APIJSON.NET 

    感谢 妙堂传奇 的贡献,点赞、收藏、转发 支持下热心的作者吧 ^_^ 
https://mp.weixin.qq.com/s/8-E-a18NttdA0AAqasE0AQ
    @TommyLemon
    TommyLemon authored May 16, 2026
    Configuration menu
    Copy the full SHA
    e321a94 View commit details
    Browse the repository at this point in the history

  2. fix(security): unsandboxed jsr223 script execution enables arbitr 

    JSR223ScriptExecutor.load() compiles arbitrary script strings via Compilable.compile() and execute() runs them via eval() with no ClassFilter, sandbox, or restricted ScriptContext. The bindings expose `_meta`, `args`, and `extParam`, but Nashorn/JS engines by default give scripts full access to Java reflection (e.g., Java.type('java.lang.Runtime').getRuntime().exec(...)). Comments in Operation.java explicitly warn 'JDK 8~13 可用自带 Nashorn 这个 js 引擎,注意配置 ClassFilter 防脚本注入攻击', but no ClassFilter is configured here. If script content is sourced from a database row, request payload, or any user-influenced channel (which the IF/CODE Operation suggests), this becomes RCE.

Affected files: JSR223ScriptExecutor.java

Signed-off-by: Nguyen Van Nam <nam.nv205106@gmail.com>
    @Nam0101
    Nam0101 committed May 16, 2026
    Configuration menu
    Copy the full SHA
    441e1fa View commit details
    Browse the repository at this point in the history

  3. fix: resolve #853 — [Feature] 8.x版本没有Demo吗 

    Fixes #853

Signed-off-by: Nguyen Van Nam <nam.nv205106@gmail.com>
    @Nam0101
    Nam0101 committed May 16, 2026
    Configuration menu
    Copy the full SHA
    bf4ef18 View commit details
    Browse the repository at this point in the history

Commits on May 24, 2026

  1. add default ClassFilter for script execution, thx to Nam0101

    @TommyLemon
    TommyLemon authored May 24, 2026
    Configuration menu
    Copy the full SHA
    40de470 View commit details
    Browse the repository at this point in the history

  2. readme: replace version to latest, thx to Nam0101 #859 

    #859
    @TommyLemon
    TommyLemon authored May 24, 2026
    Configuration menu
    Copy the full SHA
    a009c85 View commit details
    Browse the repository at this point in the history

  3. doc: replace version to latest, thx to Nam0101 #859 

    #859
    @TommyLemon
    TommyLemon authored May 24, 2026
    Configuration menu
    Copy the full SHA
    e0a222d View commit details
    Browse the repository at this point in the history

Commits on Jun 7, 2026

  1. Update README-Chinese.md

    @TommyLemon
    TommyLemon authored Jun 7, 2026
    Configuration menu
    Copy the full SHA
    8f2c951 View commit details
    Browse the repository at this point in the history

Commits on Jun 11, 2026

  1. fix: fix global @Explain not effective

    @Zhengcy05
    Zhengcy05 committed Jun 11, 2026
    Configuration menu
    Copy the full SHA
    5789d66 View commit details
    Browse the repository at this point in the history

  2. fix: global @Explain not effective, thx to Zhengcy05 #860

    @TommyLemon
    TommyLemon authored Jun 11, 2026
    Configuration menu
    Copy the full SHA
    461a5cf View commit details
    Browse the repository at this point in the history
Loading