Not specifically for but certainly related to SONATYPE-2022-1764 https://blog.sonatype.com/new-0-day-spring-framework-vulnerability-confirmed
It would be very handy for future security use-cases that some of the allow / deny settings on the WebDataBinder are configurable via properties. That would speed up fix/release processes / improve options in these security scenario's.
If this is already implemented i stand corrected; but if that's the case i haven't found it in the docs and would expect it to be mentioned as remediation option.
Comment From: tubbynl
i also like to provide a pull request if that's allowed :)
Comment From: tubbynl
preferably i'd like to customize the default WebDataBinder before controller specifics are applied, that would imply extending the ConfigurableWebBindingInitializer with extra properties for these allow/deny lists (which would also make it a spring-web thing first)
that seems to be discussed in https://github.com/spring-projects/spring-framework/issues/13244
i do think being able to configure these settings does add valuable CVE mitigation options in the future
Comment From: wilkinsona
Thanks for the suggestion. I agree that it implies adding properties to ConfigurableWebBindingInitializer which, as you've already found, has been discussed in https://github.com/spring-projects/spring-framework/issues/13244. Given both it and your pull request were declined, I don't think there's much that we can do here. If a change is made in Framework after all, we can re-open this and take another look.