7x31/databasir
1
0
Fork 0
mirror of https://github.com/vran-dev/databasir.git synced 2025-09-18 01:37:12 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix spel expression injection vulnerability (#270)

Browse Source
This commit is contained in:
luelueking
2023-03-03 21:15:56 +08:00
committed by GitHub
parent e340f87d7a
commit afc7b18330
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
core/src/main/java/com/databasir/core/domain/mock/script/SpelScriptEvaluator.java
View File

@@ -3,7 +3,7 @@ package com.databasir.core.domain.mock.script;
import lombok.RequiredArgsConstructor;
import org.springframework.expression.Expression;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext;
import org.springframework.expression.spel.support.SimpleEvaluationContext;
import org.springframework.stereotype.Component;
@Component
@@ -15,7 +15,7 @@ public class SpelScriptEvaluator implements MockScriptEvaluator {
@Override
public String evaluate(String script, ScriptContext context) {
Expression expression = spelExpressionParser.parseExpression(script);
StandardEvaluationContext spelContext = new StandardEvaluationContext(context);
SimpleEvaluationContext spelContext = SimpleEvaluationContext.forReadOnlyDataBinding().build();
return expression.getValue(spelContext, String.class);
}
}