54 lines
1.5 KiB
Plaintext
54 lines
1.5 KiB
Plaintext
== How to fix it in JSP
|
|
|
|
=== Code examples
|
|
|
|
The following code is vulnerable to arbitrary code execution because it compiles
|
|
and runs HTTP data.
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,java,diff-id=21,diff-type=noncompliant]
|
|
----
|
|
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
|
|
<spring:eval expression="${tainted}" var="result"/>
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
It is not possible to securely include user input in a SpEL expression inside of
|
|
the template. Evaluate the expression in the controller and pass the result to
|
|
the template instead.
|
|
|
|
[source,java,diff-id=21,diff-type=compliant]
|
|
----
|
|
import org.springframework.expression.Expression;
|
|
import org.springframework.expression.ExpressionParser;
|
|
import org.springframework.expression.spel.standard.SpelExpressionParser;
|
|
import org.springframework.ui.Model;
|
|
|
|
@Controller
|
|
public class ExampleController
|
|
{
|
|
@GetMapping(value = "/")
|
|
public void exec(@RequestParam("message") String message, Model model) {
|
|
StandardEvaluationContext evaluationContext = new StandardEvaluationContext();
|
|
evaluationContext.setVariable("msg", message);
|
|
|
|
ExpressionParser parser = new SpelExpressionParser();
|
|
Expression exp = parser.parseExpression("#msg");
|
|
String result = (String) exp.getValue(evaluationContext);
|
|
model.addAttribute("result", result);
|
|
}
|
|
}
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/introduction.adoc[]
|
|
|
|
include::../../common/fix/parameters.adoc[]
|
|
|
|
The compliant code example uses such an approach.
|
|
|
|
include::../../common/fix/allowlist.adoc[]
|