7x31/databasir
1
0
Fork 0
mirror of https://github.com/vran-dev/databasir.git synced 2025-09-19 10:16:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix spel expression injection vulnerability (#270)

Browse Source
This commit is contained in:
luelueking
2023-03-03 21:15:56 +08:00
committed by GitHub
parent e340f87d7a
commit afc7b18330
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
core/src/main/java/com/databasir/core/domain/mock/script/SpelScriptEvaluator.java
View File

@@ -3,7 +3,7 @@ package com.databasir.core.domain.mock.script;
import lombok.RequiredArgsConstructor; import lombok.RequiredArgsConstructor;
import org.springframework.expression.Expression; import org.springframework.expression.Expression;
import org.springframework.expression.spel.standard.SpelExpressionParser; import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext; import org.springframework.expression.spel.support.SimpleEvaluationContext;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
@Component @Component
@@ -15,7 +15,7 @@ public class SpelScriptEvaluator implements MockScriptEvaluator {
@Override @Override
public String evaluate(String script, ScriptContext context) { public String evaluate(String script, ScriptContext context) {
Expression expression = spelExpressionParser.parseExpression(script); Expression expression = spelExpressionParser.parseExpression(script);
StandardEvaluationContext spelContext = new StandardEvaluationContext(context); SimpleEvaluationContext spelContext = SimpleEvaluationContext.forReadOnlyDataBinding().build();
return expression.getValue(spelContext, String.class); return expression.getValue(spelContext, String.class);
} }
} }