Apache Commons logo Commons JEXL

Compatibility with previous release

Version 3.7.0 is source and binary compatible with 3.6.x but it changes default runtime and parse-time behavior.

Compatibility with older releases (< 3.7)

Since 3.7.0 the default permissions are SECURE (was RESTRICTED since 3.3) and the default features disable new(...), global side-effects, pragmas, and annotations (lexical scoping is enabled; loops remain available to scripts). Because features are enforced at parse time, existing scripts that use a disabled construct will throw JexlException.Feature when compiled against a 3.7 engine built with the default settings.

Despite the obvious inconvenience - our sincere apologies on the matter -, how much functional and semantic power is accessible through scripts has a real impact on your application security and stability; that potential risk requires an informed review and conscious choice on your end. Whether Files, URLs, networking, processes, class-loaders or reflection classes or whether loops or side effects are accessible may be used as ingress points for nefarious usage.

The fastest mitigation is to load the bundled jexl.yaml configuration (see JexlConfigLoader) which restores RESTRICTED permissions and enables new, loops, side-effects, and lambdas:

try (InputStream in = getClass().getResourceAsStream("/jexl.yaml")) {
    JexlEngine engine = JexlConfigLoader.load(in).create();
}
      

To discover which reflective elements the new SECURE permissions now deny in your workload, wrap your permission set with JexlPermissions.logging() before constructing the engine: each allow/deny decision is logged once.

As another mitigation approach, you can revert to the previous behaviors with a few lines of code (see JexlPermissions, JexlFeatures, JexlBuilder and JexlScriptEngine ).

Compatibility with older releases (< 3.3, 2.x)

Since 3.3 release, the default setting for permissions that determine which packages, classes and methods are accessible to scripts has been reduced to a very narrow set. When migrating from previous version of JEXL, this may result in breaking your application behavior ; this breaking change requires remediation in your code.

Despite the obvious inconvenience - our sincere apologies on the matter -, how much functional and semantic power is accessible through scripts has a real impact on your application security and stability ; that potential risk requires an informed review and conscious choice on your end.

What is new in 3.7.0:

JEXL 3.7.0 hardens the default security posture of the engine. Two defaults change:

  • The default permissions become JexlPermissions.SECURE — a minimum allow-list covering only safe java.lang value types, java.math, and java.util. Everything else (system classes, I/O, reflection, ...) is denied unless explicitly composed in.
  • The default feature set disables new(...), global side-effects, pragmas, and annotations, and enables lexical scoping; loops remain available to scripts (but never to expressions). Scripts using a disabled construct will throw JexlException.Feature at parse time.

The RESTRICTED permission set was also hardened: a class is now accessible only when its own package or class is explicitly permitted — access is no longer granted because a super-type or interface sits in an allowed package (the former "reach-through"), which previously exposed the entire foreign class.

The new JexlPermissions.logging() wrapper logs every allow/deny decision (each distinct decision logged once) and is the recommended diagnostic when migrating.

The permissions DSL gained the ability to deny individual members (such as a constructor) of an otherwise-allowed class, e.g. "java.util +{ -Formatter { Formatter(); } }".

A new JexlConfigLoader lets applications load engine configuration from a YAML file, including permissions (SECURE/RESTRICTED/UNRESTRICTED + compose rules), features, and namespaces.

New Features in 3.7.0:

JEXL-465: Add JexlConfigLoader to build a JexlEngine from a YAML configuration.
JEXL-464: Default permissions are SECURE and default features harden parse-time behavior (disable new, global side-effects, pragmas and annotations; enable lexical scoping; loops remain available to scripts).
JEXL-463: Add JexlPermissions.logging() to log which reflective elements are allowed or denied.

Bugs fixed in 3.7.0:

JEXL-462: JexlPermissions.RESTRICTED must ensure a better level of isolation.

What was new in 3.6.3:

JEXL 3.6.3 is a minor release that fixes some bugs. It does not introduce any breaking change.

Bugs fixed in 3.6.3:

JEXL-461: Updates/improvements to the site documentation for JEXL Syntax.
JEXL-459: Empty/size functions swallow all exceptions with no trace.
JEXL-458: Improve permissions expressivity.
JEXL-457: Reduce default exposure for RESTRICTED JexlPermissions.
JEXL-456: Change in template parser behavior.

Changes in 3.6.3:

Fix the @return tags in the Javadoc for JexlArithmetic.toBigInteger() overloads.
Bump org.apache.commons:commons-parent from 96 to 102.
Bump commons-logging:commons-logging from 1.3.5 to 1.4.0.
Bump com.google.code.gson:gson from 2.13.2 to 2.14.0.

What was new in 3.6.2:

JEXL 3.6.2 was a minor release that fixed some bugs. It did not introduce any breaking change.

Bugs fixed in 3.6.2:

JEXL-455: Tokenization error with multiline expressions.
JEXL-454: Switch NaN case not found.
JEXL-453: Finally clause is not evaluated.

Changes in 3.6.2:

Bump org.apache.commons:commons-parent from 93 to 96.

What was new in 3.6.1:

JEXL 3.6.1 was a minor release that fixed some bugs. It did not introduce any breaking change.

Bugs fixed in 3.6.1:

JEXL-452: Debug setting in Engine shows class/method/line even when set to false.
JEXL-451: Restore JexlSandbox permission capabilities on Object.class.
JEXL-450: Disable instantiation of internal classes in RESTRICTED mode.
JEXL-449: Inconsistency on nature of curly-bracket syntactic elements regarding annotations.

Changes in 3.6.1:

Bump org.apache.commons:commons-parent from 91 to 93.
Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.20.0.

What was new in 3.6.0:

JEXL 3.6.0 introduced a switch statement and expressions (JEXL-440). It was a minor release that did not introduce any breaking change.

New Features in 3.6.0:

JEXL-440: Switch statement & expressions.

Bugs fixed in 3.6.0:

JEXL-448: Engines caching misses local variables handling and global eviction capability.
JEXL-447: Regression in script-defined functions.
JEXL-446: ClassTool module inspection is too strict.
JEXL-442: Local variables are not resolved in interpolation string expression.
JEXL-441: Tokenization error if "\n" in template expression.
JEXL-439: When using reference capture, incorrect scoping when local variable redefines a captured symbol.
JEXL-437: Semicolons not actually optional between function calls on separate lines.
AbstractExecutor.initMarker throws IllegalArgumentException instead of Exception.
Reuse BigInteger constants instead of creating new instances in JexlArithmetic.toBigInteger(Object).

Changes in 3.6.0:

Bump org.apache.commons:commons-parent from 81 to 91.
Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0.
Bump com.google.code.gson:gson from 2.13.1 to 2.13.2.