Stephane Landelle

Re https://github.com/gatling/gatling/issues/4316#issuecomment-1215076367 That won't let you generate `3.01`.

> randomDouble(min, max, round) | round = -1, no rounding I really don't like magic values. We could have `randomDouble(min, max)` and `randomDouble(min, max, fractionalDigits)`. > randomFloat Let's postpone this...

@shoaib42 There are 2 different cases: * `randomDouble(min, max)` => no brainer * `randomDouble(min, max, fractionalDigits)` => your hacky way will overflow for large number or large number of digits....

I suspect any correct solution would have poor performance. Actually, this makes me wonder if this scale feature is really something we want for numbers. Shouldn't actually such generator output...

IMHO, using deny lists is an error and pebble should switch to using allow lists instead: the end-user should be responsible of deciding which classes are safe and which are...

Disclaimer: I'm just an occasional contributor here @chaitu0292 No, this CVE is not addressed. IMHO, the blacklist approach that was picked cannot possibly cover all possible security leaks and only...

> we'll need to whitelist a lot of things (jdk, spring etc.) > jdk Indeed, core classes and Java collections are often used in pebble templates. > spring This I...

> And the opposite, blacklisting would not make the CVE go away I guess. Exactly. Then, please remember that CVE severity is only determined based on the potential impact if...

side note: when we'll have a fix, I don't know how we'll be able to update the CVE. @ebussieres did @Y4tacker reach out before publishing his post? Did the CVE...

@Y4tacker Pet projects can't be expected to have well-defined processes like the ones hosted at the Apache Foundation (those are actually requirements to get hosted there). A typical flow is...