Hi,
We are planning to use SPEL in our SaaS based product to execute conditional expressions. My requirement is to use evaluate conditions where user can write conditional expressions using variables, constants and standard functions. So, far I have used SpelExpressionParser() parser to parse the expression and then StandardEvaluationContext() to create context and then used expression evaluate to evaluate the expression.
ExpressionParser parser = new SpelExpressionParser();
Expression exp = parser.parseExpression("(#Tag.matches('52.*') && #Name.toUpperCase().matches('DEF.*') ");
EvaluationContext context = new StandardEvaluationContext();
context.setVariable("Tag", "57345");
context.setVariable("Name", "defg");
Boolean result = (Boolean) exp.getValue(context);
This works fine for all my requirements but my security team has concerns regarding using StandardEvaluationContext(). StandardEvaluationContext() can be exploited for SpEL Injections and can be used for Remote method Invocation using Java RMI. Here are some security concerns:
SpEL Injection attacks: https://0xn3va.gitbook.io/cheat-sheets/framework/spring/spel-injection
OSWASP article on EL Injection attacks: https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection
We are suggeted to use SimpleEvaluationContext() where I see the limitation that I cannot use standard java functions and user defined functions(May be I am not clear if there is way to use it).
Can someone guide me to understand:
- Safer way to use StandardEvaluationContext() where I can disable certain Java functions like RMI and System functions so that I can safely use in our product?
- If SimpleEvaluationContext() is the way to go, then can someone help me to use standard functions and user defined functions?
I am planning to use latest 2.7.x version of spring framework and Java 11 in my code.
Thanks, Aditya Kumar
Comment From: quaff
You can implement your own EvaluationContext
.
Comment From: snicoll
I think this is already covered in the documentation. The concern, I guess, is about how you can actually invoke an expression just like any unsafe input. As @quaff mentioned, you can implement your own context.