Skip to content

Commit

Permalink
Fixes #966 - Forbid static access to org.springframework.util in expr…
Browse files Browse the repository at this point in the history
…essions
  • Loading branch information
danielfernandez committed Jul 29, 2023
1 parent 44d67d2 commit 87b512d
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ public final class ExpressionUtils {
"org.springframework.cglib.", "org.springframework.javapoet.", "org.springframework.objenesis.",
"org.springframework.web.", "org.springframework.webflow.", "org.springframework.context.",
"org.springframework.beans.", "org.springframework.aspects.", "org.springframework.aop.",
"org.springframework.expression."));
"org.springframework.expression.", "org.springframework.util."));


private static final Set<String> ALLOWED_JAVA_CLASS_NAMES;
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
%TEMPLATE_MODE HTML
# ------------------------------------------------------------
%INPUT
<p th:text="${@org.springframework.util.ReflectionUtils@invokeMethod('something')}">NOT ALLOWED</p>
# ------------------------------------------------------------
%EXCEPTION org.thymeleaf.exceptions.TemplateProcessingException
%EXCEPTION_MESSAGE_PATTERN (.*)\Qforbidden for type\E(.*)
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
%TEMPLATE_MODE HTML
# ------------------------------------------------------------
%INPUT
<p th:text="${@org.springframework.util.ClassUtils@invokeMethod('something')}">NOT ALLOWED</p>
# ------------------------------------------------------------
%EXCEPTION org.thymeleaf.exceptions.TemplateProcessingException
%EXCEPTION_MESSAGE_PATTERN (.*)\Qforbidden for type\E(.*)

Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
%TEMPLATE_MODE HTML
# ------------------------------------------------------------
%INPUT
<p th:text="${@org.springframework.util.ResourceUtils@invokeMethod('something')}">NOT ALLOWED</p>
# ------------------------------------------------------------
%EXCEPTION org.thymeleaf.exceptions.TemplateProcessingException
%EXCEPTION_MESSAGE_PATTERN (.*)\Qforbidden for type\E(.*)

0 comments on commit 87b512d

Please sign in to comment.