== How to fix it in Commons Compiler

=== Code examples

The following code is vulnerable to arbitrary code execution because it compiles
and runs HTTP data.

==== Noncompliant code example

[source,java,diff-id=1,diff-type=noncompliant]
----
import org.codehaus.janino.ScriptEvaluator;

@Controller
public class ExampleController
{
    @GetMapping(value = "/")
    public void exec(@RequestParam("message") String message) throws IOException, InvocationTargetException {
        ScriptEvaluator se = new ScriptEvaluator();
        se.cook("System.out.println(\" + message \");");
        se.evaluate(null);
    }
}
----

==== Compliant solution

[source,java,diff-id=1,diff-type=compliant]
----
import org.codehaus.janino.ScriptEvaluator;

@Controller
public class ExampleController
{
    @GetMapping(value = "/")
    public void exec(@RequestParam("message") String message) throws IOException, InvocationTargetException {
        ScriptEvaluator se = new ScriptEvaluator();
        se.setParameters(new String[] { "input" }, new Class[] { String.class });
        se.cook("System.out.println(input);");
        se.evaluate(new Object[] { message });
    }
}
----

=== How does this work?

include::../../common/fix/introduction.adoc[]

include::../../common/fix/parameters.adoc[]

The compliant code example uses such an approach.

include::../../common/fix/allowlist.adoc[]