Unhide setting js.interpretation.enabled

[winterhazel]

Description

This PR proposes unhiding js.interpretation.enabled. For reference regarding why, see the discussion in #12523.

Also, the configuration was made dynamic, and some extra refactoring was performed to organize the code (JsInterpreterHelper already exists in main).

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

How Has This Been Tested?

1. I upgraded my environment to the new version, with the changes included, and checked the database entry for js.interpretation.enabled.

• Before the changes:

  MariaDB [cloud]> select * from configuration where name = "js.interpretation.enabled";
    +----------+----------+------------------+---------------------------+----------------------------------------------+------------------------------------------------------------------------------------------------------------+---------------+---------------------+------------+----------+-------------+--------+---------------------------+------+---------+-------+
    | category | instance | component        | name                      | value                                        | description                                                                                                | default_value | updated             | is_dynamic | group_id | subgroup_id | parent | display_text              | kind | options | scope |
    +----------+----------+------------------+---------------------------+----------------------------------------------+------------------------------------------------------------------------------------------------------------+---------------+---------------------+------------+----------+-------------+--------+---------------------------+------+---------+-------+
    | Hidden   | DEFAULT  | ManagementServer | js.interpretation.enabled | MQmVLZoL1kmmDHZR1YsoIgw0OuvMDdyTnU9y3FEUNDA= | Enable/Disable all JavaScript interpretation related functionalities to create or update Javascript rules. | false         | 2026-01-23 11:09:12 |          0 |        1 |           1 | NULL   | Js interpretation enabled | NULL | NULL    |     1 |
    +----------+----------+------------------+---------------------------+----------------------------------------------+------------------------------------------------------------------------------------------------------------+---------------+---------------------+------------+----------+-------------+--------+---------------------------+------+---------+-------+

• In the logs:

  2026-02-06 11:46:01,436 INFO  [c.c.u.d.Upgrade42210to42300] (main:[]) (logid:) Updating setting 'js.interpretation.enabled' to decrypted value [true].
  

• After the changes:

  MariaDB [cloud]> select * from configuration where name = "js.interpretation.enabled";
   +----------+----------+---------------+---------------------------+-------+-----------------------------------------------------------------------+---------------+---------------------+------------+----------+-------------+--------+---------------------------+------+---------+-------+
   | category | instance | component     | name                      | value | description                                                           | default_value | updated             | is_dynamic | group_id | subgroup_id | parent | display_text              | kind | options | scope |
   +----------+----------+---------------+---------------------------+-------+-----------------------------------------------------------------------+---------------+---------------------+------------+----------+-------------+--------+---------------------------+------+---------+-------+
   | System   | DEFAULT  | JsInterpreter | js.interpretation.enabled | true  | Enable/disable all JavaScript interpretation related functionalities. | false         | 2026-02-06 11:45:28 |          1 |        1 |           1 | NULL   | Js interpretation enabled | NULL | NULL    |     1 |
   +----------+----------+---------------+---------------------------+-------+-----------------------------------------------------------------------+---------------+---------------------+------------+----------+-------------+--------+---------------------------+------+---------+-------+

2. I attempted to create heuristic rules, flexible tags, and Quota activation rules. When the setting was disabled, I received an error informing me that js.interpretation.enabled was disabled. When the setting was enabled, I was able to create them successfully.

[winterhazel]

@blueorangutan package

[blueorangutan]

@winterhazel a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[codecov]

Codecov Report

❌ Patch coverage is 3.63636% with 53 lines in your changes missing coverage. Please review.
✅ Project coverage is 18.00%. Comparing base (e2d18c0) to head (2a2058a).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
...ava/com/cloud/upgrade/dao/Upgrade42210to42300.java	0.00%	32 Missing ⚠️
.../cloudstack/jsinterpreter/JsInterpreterHelper.java	15.38%	11 Missing ⚠️
...ain/java/com/cloud/storage/StorageManagerImpl.java	0.00%	4 Missing ⚠️
...in/java/com/cloud/server/ManagementServerImpl.java	0.00%	3 Missing ⚠️
...udstack/api/response/QuotaResponseBuilderImpl.java	0.00%	2 Missing ⚠️
...n/java/com/cloud/resource/ResourceManagerImpl.java	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #12605      +/-   ##
============================================
- Coverage     18.00%   18.00%   -0.01%     
- Complexity    16464    16465       +1     
============================================
  Files          5977     5976       -1     
  Lines        537726   537801      +75     
  Branches      66026    66039      +13     
============================================
+ Hits          96839    96840       +1     
- Misses       429968   430039      +71     
- Partials      10919    10922       +3     

Flag	Coverage Δ
uitests	3.52% <ø> (ø)
unittests	19.17% <3.63%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16729

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-15416)

[winterhazel]

@blueorangutan package

[blueorangutan]

@winterhazel a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16762

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[DaanHoogland]

clgtm

[blueorangutan]

[SF] Trillian Build Failed (tid-15426)

[Copilot]

Pull request overview

This PR unhides the js.interpretation.enabled configuration setting, moving it from the "Hidden" category to the "System" category, and makes it dynamic so it can be changed without restarting the management server. This addresses issue #12523 where the management server would hang during startup when this setting was enabled. The PR refactors the JavaScript interpretation validation logic by introducing a new JsInterpreterHelper class that centralizes the configuration and validation logic.

Changes:

• Introduces JsInterpreterHelper class to centralize JS interpretation configuration and validation
• Moves js.interpretation.enabled from ManagementService to JsInterpreterHelper and changes it from "Hidden" to "System" category
• Makes the configuration dynamic to allow runtime changes
• Migrates all validation calls from ManagementService.checkJsInterpretationAllowedIfNeededForParameterValue() to JsInterpreterHelper.ensureInterpreterEnabledIfParameterProvided()
• Adds database upgrade script to unhide and decrypt the existing configuration value

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
server/src/main/java/org/apache/cloudstack/jsinterpreter/JsInterpreterHelper.java	New helper class that implements Configurable interface and provides the JS_INTERPRETATION_ENABLED ConfigKey and validation method
server/src/main/java/com/cloud/storage/StorageManagerImpl.java	Updated to inject and use JsInterpreterHelper for validating storage pool and secondary storage selector operations
server/src/main/java/com/cloud/server/ManagementServerImpl.java	Removed old ConfigKey definition, jsInterpretationEnabled field, and validation method; unconditionally registers CreateSecondaryStorageSelectorCmd and UpdateSecondaryStorageSelectorCmd
server/src/main/java/com/cloud/resource/ResourceManagerImpl.java	Updated to inject and use JsInterpreterHelper for validating host update operations
plugins/database/quota/src/main/java/org/apache/cloudstack/quota/QuotaServiceImpl.java	Removed jsInterpretationEnabled field and isJsInterpretationEnabled() method
plugins/database/quota/src/main/java/org/apache/cloudstack/quota/QuotaService.java	Removed isJsInterpretationEnabled() method from interface
plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImpl.java	Updated to inject and use JsInterpreterHelper for validating quota tariff operations
engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42020to42030.java	Adds database migration to unhide and decrypt the js.interpretation.enabled configuration setting
api/src/main/java/com/cloud/server/ManagementService.java	Removed JsInterpretationEnabled ConfigKey and checkJsInterpretationAllowedIfNeededForParameterValue() method

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[weizhouapache]

@winterhazel
the mgmt service failed to start , can you check ?
the simulator CI tests failed too

[winterhazel]

@blueorangutan package

[winterhazel]

@winterhazel the mgmt service failed to start , can you check ? the simulator CI tests failed too

@weizhouapache should be fixed now

[blueorangutan]

@winterhazel a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16886

[sureshanaparti]

@blueorangutan test

[blueorangutan]

@sureshanaparti a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-15503)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 52161 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12605-t15503-kvm-ol8.zip
Smoke tests completed. 140 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_LoginApiDomain	Error	7.20	test_accounts.py

[winterhazel]

@blueorangutan package

[blueorangutan]

@winterhazel a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17345

[bernardodemarco]

lgtm, manually tested in a local env:

Before

MariaDB [cloud]> select * from configuration where name = "js.interpretation.enabled";
+----------+----------+------------------+---------------------------+----------------------------------------------+------------------------------------------------------------------------------------------------------------+---------------+---------------------+------------+----------+-------------+--------+---------------------------+------+---------+-------+
| category | instance | component        | name                      | value                                        | description                                                                                                | default_value | updated             | is_dynamic | group_id | subgroup_id | parent | display_text              | kind | options | scope |
+----------+----------+------------------+---------------------------+----------------------------------------------+------------------------------------------------------------------------------------------------------------+---------------+---------------------+------------+----------+-------------+--------+---------------------------+------+---------+-------+
| Hidden   | DEFAULT  | ManagementServer | js.interpretation.enabled | 8M83R8t/pmuZGxpxDoQJlqvOiZHVcYFa0hBJilzKqA/T | Enable/Disable all JavaScript interpretation related functionalities to create or update Javascript rules. | false         | 2026-01-08 18:09:46 |          0 |        1 |           1 | NULL   | Js interpretation enabled | NULL | NULL    |     1 |
+----------+----------+------------------+---------------------------+----------------------------------------------+------------------------------------------------------------------------------------------------------------+---------------+---------------------+------------+----------+-------------+--------+---------------------------+------+---------+-------+
1 row in set (0.001 sec)

After

MariaDB [cloud]> select * from configuration where name = "js.interpretation.enabled";
+----------+----------+---------------+---------------------------+-------+-----------------------------------------------------------------------+---------------+---------------------+------------+----------+-------------+--------+---------------------------+------+---------+-------+
| category | instance | component     | name                      | value | description                                                           | default_value | updated             | is_dynamic | group_id | subgroup_id | parent | display_text              | kind | options | scope |
+----------+----------+---------------+---------------------------+-------+-----------------------------------------------------------------------+---------------+---------------------+------------+----------+-------------+--------+---------------------------+------+---------+-------+
| System   | DEFAULT  | JsInterpreter | js.interpretation.enabled | false | Enable/disable all JavaScript interpretation related functionalities. | false         | 2026-04-09 20:53:32 |          1 |        1 |           1 | NULL   | Js interpretation enabled | NULL | NULL    |     1 |
+----------+----------+---------------+---------------------------+-------+-----------------------------------------------------------------------+---------------+---------------------+------------+----------+-------------+--------+---------------------------+------+---------+-------+
1 row in set (0.001 sec)

Management Server logs

> grep 'Updating setting' /var/log/cloudstack/management/management-server.log
2026-04-09 20:49:52,904 INFO  [c.c.u.d.Upgrade42210to42300] (main:[]) (logid:) Updating setting 'js.interpretation.enabled' to decrypted value [false], and category 'System', component 'JsInterpreter', and is_dynamic '1'.

---

@winterhazel, thanks for the PR. By the way, IMHO, hiding js.interpretation.enabled and changing its value to be encrypted was completely inappropriate. There are no known vulnerabilities in the ACS JS interpreter. We cannot simply hide a feature from the platform just because it has had a known vulnerability or because vulnerabilities could potentially be discovered in the future. If we follow this line of thinking, would we hide all ACS features by default?

[winterhazel]

@bernardodemarco see #12523. This change was not appropriately discussed while addressing the vulnerability that prompted the introduction of the setting.

[winterhazel]

@DaanHoogland could we run the CI here one last time? Edit: noticed a grammar mistake

[winterhazel]

@blueorangutan package

[blueorangutan]

@winterhazel a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17430

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests