== How to fix it in Spring

=== Code examples

The following code is vulnerable to arbitrary code execution because it compiles
and runs HTTP data.

==== Noncompliant code example

[source,java,diff-id=11,diff-type=noncompliant]
----
import org.springframework.expression.Expression;
import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;

@Controller
public class ExampleController
{
    @GetMapping(value = "/")
    public void exec(@RequestParam("message") String message) {
        ExpressionParser parser = new SpelExpressionParser();
        Expression exp = parser.parseExpression(message);
    }
}
----

==== Compliant solution

[source,java,diff-id=11,diff-type=compliant]
----
import org.springframework.expression.Expression;
import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;

@Controller
public class ExampleController
{
    @GetMapping(value = "/")
    public void exec(@RequestParam("message") String message) {
        StandardEvaluationContext evaluationContext = new StandardEvaluationContext();
        evaluationContext.setVariable("msg", message);

        ExpressionParser parser = new SpelExpressionParser();
        Expression exp = parser.parseExpression("#msg");
        String result = (String) exp.getValue(evaluationContext);
    }
}
----

=== How does this work?

include::../../common/fix/introduction.adoc[]

include::../../common/fix/parameters.adoc[]

The compliant code example uses such an approach.

include::../../common/fix/allowlist.adoc[]