Skip to content

v2.4.0-alpha.2

Pre-release
Pre-release

Choose a tag to compare

View all tags
@ngjaying ngjaying released this 17 Dec 07:08
· 67 commits to master since this release
v2.4.0-alpha.2
5619323
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

⚠️ Breaking Changes

IMPORTANT: This release includes security enhancements that may affect existing deployments.

  1. SSRF Protection Enabled by Default

    • The new enablePrivateNet configuration defaults to false, which blocks access to private network addresses (e.g., localhost, 127.0.0.1, internal IPs).
    • Action Required: If your rules rely on accessing local resources (local REST services, local databases, etc.), you must set enablePrivateNet: true in etc/kuiper.yaml.
    • Documentation

  2. File Access Restriction Enabled by Default

    • The new allowExternalFileAccess configuration defaults to false, restricting file access to the data/uploads directory only.
    • Action Required: If your plugins or schemas need to access files outside the uploads directory, set allowExternalFileAccess: true.
    • Documentation

New Features

Temporary Streams (#3940)

Introduced temporary streams that exist only in memory and are not persisted. They are defined using TEMP="true" in the stream definition and are ideal for intermediate data processing or testing. Temporary streams cannot be replaced and can only be used by temporary rules.

State Window Partition By (#3936)

State windows now support the PARTITION BY clause, enabling data partitioning into separate window groups. This allows more granular state tracking across different partitions.

Tuple Sink Format Support (#3954)

Tuple-based sinks now support configurable output formats, providing more flexibility in data serialization.

Video Source Enhancements (#3955)

Added new properties to the video source for better ffmpeg control:

  • debugResp: Output ffmpeg response to logs for debugging
  • inputArgs: Custom input arguments for ffmpeg (e.g., rtsp_transport: tcp)
  • Documentation

Global Configuration Provider (#3942)

Added a global configuration provider that allows portable plugins and external components to access eKuiper's configuration settings programmatically.

API ID Validation (#3951)

Added comprehensive validation for resource identifiers. Stream, table, rule, connection, plugin, schema, and service names are now validated to prevent invalid characters.

Security Enhancements

SSRF Protection

Implemented Server-Side Request Forgery (SSRF) protection across all HTTP clients. Private network access is blocked by default.

File Access Restriction (#3950)

Added configurable file access restrictions to prevent unauthorized file system access.

Path Traversal Prevention

  • Fixed upload embedded path traversal (#3958)
  • Fixed path traversal in file downloads
  • Enforced safe path validation for user input (#3911)
  • Safe unzip implementation (#3931)

Bug Fixes

  • Fixed HTTP refresh token support (#3922)
  • Fixed REST sink access token handling
  • Fixed SQL lookup unsafe string (#3930)
  • Fixed wildcard expander limit in slice mode (#3925)
  • Fixed bool type conversion issues (#3917, #3918)
  • Fixed state window with GROUP BY key (#3916)

Dependency Updates

  • Upgraded Go version
  • Upgraded FoundationDB client to 7.3 (#3938)
  • Bumped logrus, paho.mqtt.golang, golang.org/x/crypto, jose2go, gorilla/schema

Full Changelog: v2.4.0-alpha.1...v2.4.0-alpha.2

Assets 34
Loading