From 8d6d6652568d88ca37fe1804a9a4e611eead813d Mon Sep 17 00:00:00 2001
From: Nolan Ehrstrom <github@nolanpro.com>
Date: Tue, 14 Jan 2025 14:35:29 -0800
Subject: [PATCH] Disable script executors unless CUSTOM_EXECUTORS=true

---
 .env.example                                           |  1 +
 .../Controllers/Admin/ScriptExecutorController.php     |  4 ++++
 .../Http/Controllers/Api/ScriptExecutorController.php  |  4 ++++
 ProcessMaker/Http/Middleware/GenerateMenus.php         | 10 ++++++----
 config/app.php                                         |  4 +++-
 5 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/.env.example b/.env.example
index 1b2468d570..0578e69a96 100644
--- a/.env.example
+++ b/.env.example
@@ -47,3 +47,4 @@ OPEN_AI_SECRET="sk-O2D..."
 AI_MICROSERVICE_HOST="http://localhost:8010"
 PROCESS_REQUEST_ERRORS_RATE_LIMIT=1
 PROCESS_REQUEST_ERRORS_RATE_LIMIT_DURATION=86400
+CUSTOM_EXECUTORS=false
\ No newline at end of file
diff --git a/ProcessMaker/Http/Controllers/Admin/ScriptExecutorController.php b/ProcessMaker/Http/Controllers/Admin/ScriptExecutorController.php
index 671cb9b9ba..76f2450ec2 100644
--- a/ProcessMaker/Http/Controllers/Admin/ScriptExecutorController.php
+++ b/ProcessMaker/Http/Controllers/Admin/ScriptExecutorController.php
@@ -9,6 +9,10 @@ class ScriptExecutorController extends Controller
 {
     public function index(Request $request)
     {
+        if (!config('app.custom_executors')) {
+            abort(404);
+        }
+
         return view('admin.script-executors.index');
     }
 }
diff --git a/ProcessMaker/Http/Controllers/Api/ScriptExecutorController.php b/ProcessMaker/Http/Controllers/Api/ScriptExecutorController.php
index e625ac01d8..dfca2ea8e6 100644
--- a/ProcessMaker/Http/Controllers/Api/ScriptExecutorController.php
+++ b/ProcessMaker/Http/Controllers/Api/ScriptExecutorController.php
@@ -254,6 +254,10 @@ public function delete(Request $request, ScriptExecutor $scriptExecutor)
 
     private function checkAuth($request)
     {
+        if (!config('app.custom_executors')) {
+            abort(404);
+        }
+
         if (!$request->user()->is_administrator) {
             throw new AuthorizationException();
         }
diff --git a/ProcessMaker/Http/Middleware/GenerateMenus.php b/ProcessMaker/Http/Middleware/GenerateMenus.php
index d50a0d9224..2959431ca6 100644
--- a/ProcessMaker/Http/Middleware/GenerateMenus.php
+++ b/ProcessMaker/Http/Middleware/GenerateMenus.php
@@ -115,10 +115,12 @@ public function handle(Request $request, Closure $next)
                     'icon' => 'fa-infinity',
                 ]);
 
-                $submenu->add(__('Script Executors'), [
-                    'route' => 'script-executors.index',
-                    'icon' => 'fa-code',
-                ]);
+                if (config('app.custom_executors')) {
+                    $submenu->add(__('Script Executors'), [
+                        'route' => 'script-executors.index',
+                        'icon' => 'fa-code',
+                    ]);
+                }
 
                 $devlinkIcon = base64_encode(file_get_contents(base_path('resources/img/devlink.svg')));
                 $submenu->add(__('DevLink'), [
diff --git a/config/app.php b/config/app.php
index a011248e48..8058cbf8ae 100644
--- a/config/app.php
+++ b/config/app.php
@@ -246,7 +246,7 @@
     // Process Request security log rate limit: 1 per day (86400 seconds)
     'process_request_errors_rate_limit' => env('PROCESS_REQUEST_ERRORS_RATE_LIMIT', 1),
     'process_request_errors_rate_limit_duration' => env('PROCESS_REQUEST_ERRORS_RATE_LIMIT_DURATION', 86400),
-    
+
     'default_colors' => [
         'primary' => '#2773F3',
         'secondary' => '#728092',
@@ -266,4 +266,6 @@
         'vault_token' => env('ENCRYPTED_DATA_VAULT_TOKEN', ''),
         'vault_transit_key' => env('ENCRYPTED_DATA_VAULT_TRANSIT_KEY', ''),
     ],
+
+    'custom_executors' => env('CUSTOM_EXECUTORS', false),
 ];