Spel security fix; fixes gh-917

This commit is contained in:
Marcin Grzejszczak
2018-04-06 17:06:47 +02:00
parent 7e81e74a9c
commit 7f73677bc8
4 changed files with 19 additions and 7 deletions

View File

@@ -294,7 +294,9 @@ Precedence is:
- try with the bean of `TagValueResolver` type and provided name
- if one hasn't provided the bean name, try to evaluate an expression. We're searching for a `TagValueExpressionResolver` bean.
The default implementation uses SPEL expression resolution.
The default implementation uses SPEL expression resolution. If we do not find any expression to evaluate, return the `toString()`
value of the parameter.
**IMPORTANT** You can only reference properties from the SPEL expression. Method execution is not allowed due to security constraints.
- if one hasn't provided any expression to evaluate just return a `toString()` value of the parameter
==== Custom extractor
@@ -950,4 +952,4 @@ class ReporterConfiguration {
You can find the running examples deployed in the https://run.pivotal.io/[Pivotal Web Services]. Check them out in the following links:
- http://docssleuth-zipkin-server.cfapps.io/[Zipkin for apps presented in the samples to the top]
- http://docsbrewing-zipkin-server.cfapps.io/[Zipkin for Brewery on PWS], its https://github.com/spring-cloud-samples/brewery[Github Code]
- http://docsbrewing-zipkin-server.cfapps.io/[Zipkin for Brewery on PWS], its https://github.com/spring-cloud-samples/brewery[Github Code]

View File

@@ -13,7 +13,7 @@
<parent>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-build</artifactId>
<version>1.3.8.RELEASE</version>
<version>1.3.9.BUILD-SNAPSHOT</version>
<relativePath/>
<!-- lookup parent from repository -->
</parent>
@@ -241,7 +241,7 @@
<maven.compiler.testSource>1.8</maven.compiler.testSource>
<surefire.plugin.version>2.19.1</surefire.plugin.version>
<checkstyle.version>2.17</checkstyle.version>
<spring-cloud-build.version>1.3.8.RELEASE</spring-cloud-build.version>
<spring-cloud-build.version>1.3.9.BUILD-SNAPSHOT</spring-cloud-build.version>
<spring-cloud-commons.version>1.3.3.BUILD-SNAPSHOT</spring-cloud-commons.version>
<spring-cloud-stream.version>Ditmars.BUILD-SNAPSHOT</spring-cloud-stream.version>
<spring-cloud-netflix.version>1.4.4.BUILD-SNAPSHOT</spring-cloud-netflix.version>

View File

@@ -23,6 +23,7 @@ import org.apache.commons.logging.LogFactory;
import org.springframework.expression.Expression;
import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.SimpleEvaluationContext;
/**
* Uses SPEL to evaluate the expression. If an exception is thrown will return
@@ -37,9 +38,12 @@ class SpelTagValueExpressionResolver implements TagValueExpressionResolver {
@Override
public String resolve(String expression, Object parameter) {
try {
SimpleEvaluationContext context = SimpleEvaluationContext
.forReadOnlyDataBinding()
.build();
ExpressionParser expressionParser = new SpelExpressionParser();
Expression expressionToEvaluate = expressionParser.parseExpression(expression);
return expressionToEvaluate.getValue(parameter, String.class);
return expressionToEvaluate.getValue(context, parameter, String.class);
} catch (Exception e) {
log.error("Exception occurred while tying to evaluate the SPEL expression [" + expression + "]", e);
}

View File

@@ -27,10 +27,16 @@ public class SpelTagValueExpressionResolverTests {
@Test
public void should_use_spel_to_resolve_a_value() throws Exception {
SpelTagValueExpressionResolver resolver = new SpelTagValueExpressionResolver();
MyObject myObject = new MyObject();
myObject.name = "hello";
String resolved = resolver.resolve("length() + 1", "foo");
String resolved = resolver.resolve("name + ' world'", myObject);
then(resolved).isEqualTo("4");
then(resolved).isEqualTo("hello world");
}
public static class MyObject {
public String name;
}
@Test