Spel security fix; fixes gh-917
This commit is contained in:
@@ -294,7 +294,9 @@ Precedence is:
|
||||
|
||||
- try with the bean of `TagValueResolver` type and provided name
|
||||
- if one hasn't provided the bean name, try to evaluate an expression. We're searching for a `TagValueExpressionResolver` bean.
|
||||
The default implementation uses SPEL expression resolution.
|
||||
The default implementation uses SPEL expression resolution. If we do not find any expression to evaluate, return the `toString()`
|
||||
value of the parameter.
|
||||
**IMPORTANT** You can only reference properties from the SPEL expression. Method execution is not allowed due to security constraints.
|
||||
- if one hasn't provided any expression to evaluate just return a `toString()` value of the parameter
|
||||
|
||||
==== Custom extractor
|
||||
@@ -950,4 +952,4 @@ class ReporterConfiguration {
|
||||
You can find the running examples deployed in the https://run.pivotal.io/[Pivotal Web Services]. Check them out in the following links:
|
||||
|
||||
- http://docssleuth-zipkin-server.cfapps.io/[Zipkin for apps presented in the samples to the top]
|
||||
- http://docsbrewing-zipkin-server.cfapps.io/[Zipkin for Brewery on PWS], its https://github.com/spring-cloud-samples/brewery[Github Code]
|
||||
- http://docsbrewing-zipkin-server.cfapps.io/[Zipkin for Brewery on PWS], its https://github.com/spring-cloud-samples/brewery[Github Code]
|
||||
4
pom.xml
4
pom.xml
@@ -13,7 +13,7 @@
|
||||
<parent>
|
||||
<groupId>org.springframework.cloud</groupId>
|
||||
<artifactId>spring-cloud-build</artifactId>
|
||||
<version>1.3.8.RELEASE</version>
|
||||
<version>1.3.9.BUILD-SNAPSHOT</version>
|
||||
<relativePath/>
|
||||
<!-- lookup parent from repository -->
|
||||
</parent>
|
||||
@@ -241,7 +241,7 @@
|
||||
<maven.compiler.testSource>1.8</maven.compiler.testSource>
|
||||
<surefire.plugin.version>2.19.1</surefire.plugin.version>
|
||||
<checkstyle.version>2.17</checkstyle.version>
|
||||
<spring-cloud-build.version>1.3.8.RELEASE</spring-cloud-build.version>
|
||||
<spring-cloud-build.version>1.3.9.BUILD-SNAPSHOT</spring-cloud-build.version>
|
||||
<spring-cloud-commons.version>1.3.3.BUILD-SNAPSHOT</spring-cloud-commons.version>
|
||||
<spring-cloud-stream.version>Ditmars.BUILD-SNAPSHOT</spring-cloud-stream.version>
|
||||
<spring-cloud-netflix.version>1.4.4.BUILD-SNAPSHOT</spring-cloud-netflix.version>
|
||||
|
||||
@@ -23,6 +23,7 @@ import org.apache.commons.logging.LogFactory;
|
||||
import org.springframework.expression.Expression;
|
||||
import org.springframework.expression.ExpressionParser;
|
||||
import org.springframework.expression.spel.standard.SpelExpressionParser;
|
||||
import org.springframework.expression.spel.support.SimpleEvaluationContext;
|
||||
|
||||
/**
|
||||
* Uses SPEL to evaluate the expression. If an exception is thrown will return
|
||||
@@ -37,9 +38,12 @@ class SpelTagValueExpressionResolver implements TagValueExpressionResolver {
|
||||
@Override
|
||||
public String resolve(String expression, Object parameter) {
|
||||
try {
|
||||
SimpleEvaluationContext context = SimpleEvaluationContext
|
||||
.forReadOnlyDataBinding()
|
||||
.build();
|
||||
ExpressionParser expressionParser = new SpelExpressionParser();
|
||||
Expression expressionToEvaluate = expressionParser.parseExpression(expression);
|
||||
return expressionToEvaluate.getValue(parameter, String.class);
|
||||
return expressionToEvaluate.getValue(context, parameter, String.class);
|
||||
} catch (Exception e) {
|
||||
log.error("Exception occurred while tying to evaluate the SPEL expression [" + expression + "]", e);
|
||||
}
|
||||
|
||||
@@ -27,10 +27,16 @@ public class SpelTagValueExpressionResolverTests {
|
||||
@Test
|
||||
public void should_use_spel_to_resolve_a_value() throws Exception {
|
||||
SpelTagValueExpressionResolver resolver = new SpelTagValueExpressionResolver();
|
||||
MyObject myObject = new MyObject();
|
||||
myObject.name = "hello";
|
||||
|
||||
String resolved = resolver.resolve("length() + 1", "foo");
|
||||
String resolved = resolver.resolve("name + ' world'", myObject);
|
||||
|
||||
then(resolved).isEqualTo("4");
|
||||
then(resolved).isEqualTo("hello world");
|
||||
}
|
||||
|
||||
public static class MyObject {
|
||||
public String name;
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
Reference in New Issue
Block a user