Affects: 5.x.x 6.x.x (not sure about older versions)
I'm using Spring Expression Language (SpEL) to allow user to specify customized data filter criteria.
As user can input any text for the criteria, I need validate the input SpEL expression. I did it with function SpelExpressionParser#parseRaw and consider ParseException as the signal of bad expression.
I found it throws IllegalArgumentException for some bad expression.
repro code:
new SpelExpressionParser().parseRaw("/^REGEX_PREFIX_/.test(myVariable)");
error log:
java.lang.IllegalArgumentException: Operand must not be null
at org.springframework.util.Assert.notNull(Assert.java:172)
at org.springframework.expression.spel.ast.SpelNodeImpl.<init>(SpelNodeImpl.java:80)
at org.springframework.expression.spel.ast.Operator.<init>(Operator.java:58)
at org.springframework.expression.spel.ast.OperatorPower.<init>(OperatorPower.java:38)
at org.springframework.expression.spel.standard.InternalSpelExpressionParser.eatPowerIncDecExpression(InternalSpelExpressionParser.java:322)
at org.springframework.expression.spel.standard.InternalSpelExpressionParser.eatProductExpression(InternalSpelExpressionParser.java:299)
at org.springframework.expression.spel.standard.InternalSpelExpressionParser.eatSumExpression(InternalSpelExpressionParser.java:278)
at org.springframework.expression.spel.standard.InternalSpelExpressionParser.eatRelationalExpression(InternalSpelExpressionParser.java:233)
at org.springframework.expression.spel.standard.InternalSpelExpressionParser.eatLogicalAndExpression(InternalSpelExpressionParser.java:220)
at org.springframework.expression.spel.standard.InternalSpelExpressionParser.eatLogicalOrExpression(InternalSpelExpressionParser.java:207)
at org.springframework.expression.spel.standard.InternalSpelExpressionParser.eatExpression(InternalSpelExpressionParser.java:168)
at org.springframework.expression.spel.standard.InternalSpelExpressionParser.doParseExpression(InternalSpelExpressionParser.java:138)
at org.springframework.expression.spel.standard.SpelExpressionParser.doParseExpression(SpelExpressionParser.java:63)
at org.springframework.expression.spel.standard.SpelExpressionParser.parseRaw(SpelExpressionParser.java:58)
Comment From: snicoll
Thanks for the suggestion but that's not how the SpEL parser works. I agree it would be nice if it would consistently throw a ParseException with a dedicated message that describes what the problem is and where but it would be a significant task. If you look at the spel.ast package, there are a lot of Assert calls like the one you're hitting above.