Spring Reject null and empty SpEL expressions - 玖涯软件开发|java/go/python

We have upgraded from Spring Framework 5.2.23 to 5.2.24, and now we are getting some NullPointerExceptions.

Looking in the stack traces we find that the issue is in InternalSpelExpressionParser.

With 5.2.24 there is now a 'checkExpressionLength(expressionString);' which calls:

    private void checkExpressionLength(String string) {
        if (string.length() > MAX_EXPRESSION_LENGTH) {
            throw new SpelEvaluationException(SpelMessage.MAX_EXPRESSION_LENGTH_EXCEEDED, MAX_EXPRESSION_LENGTH);
        }
    }

If string is null then string.length() results in a NullPointerException.

Is this the intended behavior of checkExpressionLength(), or is this a bug?

Comment From: quaff

Why string is null?

Comment From: sbrannen

The expressionString should never be null. If it is null, that is a user error.

org.springframework.expression.ExpressionParser.parseExpression(String) and related methods accepting the expressionString do not specify it as @Nullable.

Interestingly enough, prior to #30325, the following test passed.

    @Test
    void nullExpression() {
        ExpressionParser parser = new SpelExpressionParser();
        String expression = null;
        Expression expr = parser.parseExpression(expression);
        Object result = expr.getValue();
        assertThat(result).isNull();
    }

However, that was not by design. Rather, that was by accident.

Supplying a null expression internally resulted in an expression created by concatenating null with "\0" in the constructor for org.springframework.expression.spel.standard.Tokenizer.. Thus, supplying null as the expression was effectively equivalent to supplying "null" as the expression.

We currently do not have any planned releases for 5.2.x. Thus if you are encountering this issue with Spring Framework 5.2.x, please ensure that you do not supply a null reference as the expression string to parse. Alternatively, if you rely on the behavior of a null expression for some reason, you could alter your code to supply "null" as the expression string instead of a null reference.

For Spring Framework 5.3.x and 6.x, I think we should introduce an explicit Assert.notNull(...) or Assert.hasText(...) check for the user-supplied expression string.

Comment From: sbrannen

In light of the above, I am repurposing this ticket to fail early if null or an empty string is provided as the SpEL expression to parse.