From 10482aa7819439b0b571b4fd2f1e092f428b7cdc Mon Sep 17 00:00:00 2001
From: luelueking <93204032+luelueking@users.noreply.github.com>
Date: Thu, 2 Mar 2023 18:31:01 +0800
Subject: [PATCH] Fix spel expression injection vulnerability

---
 .../core/domain/mock/script/SpelScriptEvaluator.java          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/src/main/java/com/databasir/core/domain/mock/script/SpelScriptEvaluator.java b/core/src/main/java/com/databasir/core/domain/mock/script/SpelScriptEvaluator.java
index d1c40c7..3a69bf8 100644
--- a/core/src/main/java/com/databasir/core/domain/mock/script/SpelScriptEvaluator.java
+++ b/core/src/main/java/com/databasir/core/domain/mock/script/SpelScriptEvaluator.java
@@ -3,7 +3,7 @@ package com.databasir.core.domain.mock.script;
 import lombok.RequiredArgsConstructor;
 import org.springframework.expression.Expression;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
-import org.springframework.expression.spel.support.StandardEvaluationContext;
+import org.springframework.expression.spel.support.SimpleEvaluationContext;
 import org.springframework.stereotype.Component;
 
 @Component
@@ -15,7 +15,7 @@ public class SpelScriptEvaluator implements MockScriptEvaluator {
     @Override
     public String evaluate(String script, ScriptContext context) {
         Expression expression = spelExpressionParser.parseExpression(script);
-        StandardEvaluationContext spelContext = new StandardEvaluationContext(context);
+        SimpleEvaluationContext spelContext = SimpleEvaluationContext.forReadOnlyDataBinding().build();
         return expression.getValue(spelContext, String.class);
     }
 }