59 lines
1.6 KiB
Plaintext
59 lines
1.6 KiB
Plaintext
== How to fix it in Spring
|
|
|
|
=== Code examples
|
|
|
|
The following code is vulnerable to arbitrary code execution because it compiles
|
|
and runs HTTP data.
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,java,diff-id=11,diff-type=noncompliant]
|
|
----
|
|
import org.springframework.expression.Expression;
|
|
import org.springframework.expression.ExpressionParser;
|
|
import org.springframework.expression.spel.standard.SpelExpressionParser;
|
|
|
|
@Controller
|
|
public class ExampleController
|
|
{
|
|
@GetMapping(value = "/")
|
|
public void exec(@RequestParam("message") String message) {
|
|
ExpressionParser parser = new SpelExpressionParser();
|
|
Expression exp = parser.parseExpression(message);
|
|
}
|
|
}
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,java,diff-id=11,diff-type=compliant]
|
|
----
|
|
import org.springframework.expression.Expression;
|
|
import org.springframework.expression.ExpressionParser;
|
|
import org.springframework.expression.spel.standard.SpelExpressionParser;
|
|
|
|
@Controller
|
|
public class ExampleController
|
|
{
|
|
@GetMapping(value = "/")
|
|
public void exec(@RequestParam("message") String message) {
|
|
StandardEvaluationContext evaluationContext = new StandardEvaluationContext();
|
|
evaluationContext.setVariable("msg", message);
|
|
|
|
ExpressionParser parser = new SpelExpressionParser();
|
|
Expression exp = parser.parseExpression("#msg");
|
|
String result = (String) exp.getValue(evaluationContext);
|
|
}
|
|
}
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/introduction.adoc[]
|
|
|
|
include::../../common/fix/parameters.adoc[]
|
|
|
|
The compliant code example uses such an approach.
|
|
|
|
include::../../common/fix/allowlist.adoc[]
|