7x31
/
databasir
mirror of https://github.com/vran-dev/databasir.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix spel expression injection vulnerability

This commit is contained in:
luelueking 2023-03-02 18:31:01 +08:00 committed by GitHub
parent e340f87d7a
commit 10482aa781
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
core/src/main/java/com/databasir/core/domain/mock/script/SpelScriptEvaluator.java
View File

@ -3,7 +3,7 @@ package com.databasir.core.domain.mock.script;
import lombok.RequiredArgsConstructor; import lombok.RequiredArgsConstructor;
import org.springframework.expression.Expression; import org.springframework.expression.Expression;
import org.springframework.expression.spel.standard.SpelExpressionParser; import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext; import org.springframework.expression.spel.support.SimpleEvaluationContext;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
@Component @Component
@ -15,7 +15,7 @@ public class SpelScriptEvaluator implements MockScriptEvaluator {
@Override @Override
public String evaluate(String script, ScriptContext context) { public String evaluate(String script, ScriptContext context) {
Expression expression = spelExpressionParser.parseExpression(script); Expression expression = spelExpressionParser.parseExpression(script);
StandardEvaluationContext spelContext = new StandardEvaluationContext(context); SimpleEvaluationContext spelContext = SimpleEvaluationContext.forReadOnlyDataBinding().build();
return expression.getValue(spelContext, String.class); return expression.getValue(spelContext, String.class);
} }
} }