Home > Enterprise >  Eliminating vurnabilities in the Spring SpEL
Eliminating vurnabilities in the Spring SpEL

Time:01-16

I'm testing the Spring SpEL and I thinking if it is possible to somehow limit what kind of SpEL query can be provided, to avoid some unwanted code injection? I just want to get values from some object, so is it possible to block other types of operations? I can't find such functionality in the Spring documentation.

For instance, I just want to allow to check if the value from the test object equals XYZ.

Test test = new Test("XYZ", 999);
ExpressionParser expressionParser = new SpelExpressionParser();
Expression expression = expressionParser.parseExpression("value eq 'XYZ'");

System.out.println(expression.getValue(new StandardEvaluationContext(test)));

However, I would like to limit which expressions are valid. I don't what to evaluate expressions which allow to execute some code, for instance:

Expression expression = expressionParser.parseExpression("''.getClass().forName('java.lang.Runtime').getMethods()[6]");

CodePudding user response:

As @ArtemBilan mentioned in the comment, the solution to limit the SpEL language syntax and eliminate unwanted code execution is to use the SimpleEvaluationContext class, for instance:

SimpleEvaluationContext context = SimpleEvaluationContext.forReadOnlyDataBinding()
.withInstanceMethods()
.withRootObject(test)
.build();

Page link:https//www.codepudding.com/Enterprise/673265.html

Prev:Why aren'y my associations created properly in Ruby/Sequel?
Next:I am in a basic level of laravel9 and trying to save() or update() in a database and this error happ
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding