spring-projects · Dec 16, 2021 · Jan 3, 2022 · Jan 27, 2022 · Mar 30, 2022 · Mar 30, 2022
diff --git a/build.gradle b/build.gradle
@@ -36,7 +36,7 @@ configure(allprojects) { project ->
 			mavenBom "org.junit:junit-bom:5.6.3"
 		}
 		dependencies {
-			dependencySet(group: 'org.apache.logging.log4j', version: '2.16.0') {
+			dependencySet(group: 'org.apache.logging.log4j', version: '2.17.1') {
 				entry 'log4j-api'
 				entry 'log4j-core'
 				entry 'log4j-jul'

diff --git a/ci/images/ci-image-jdk11/Dockerfile b/ci/images/ci-image-jdk11/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:focal-20210119
+FROM ubuntu:focal-20220302
 
 ADD setup.sh /setup.sh
 ADD get-jdk-url.sh /get-jdk-url.sh

diff --git a/ci/images/ci-image/Dockerfile b/ci/images/ci-image/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:focal-20210119
+FROM ubuntu:focal-20220302
 
 ADD setup.sh /setup.sh
 ADD get-jdk-url.sh /get-jdk-url.sh

diff --git a/ci/images/get-jdk-url.sh b/ci/images/get-jdk-url.sh
@@ -3,10 +3,10 @@ set -e
 
 case "$1" in
 	java8)
-		 echo "https://github.com/AdoptOpenJDK/openjdk8-binaries/releases/download/jdk8u282-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u282b08.tar.gz"
+		 echo "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u322-b06/OpenJDK8U-jdk_x64_linux_hotspot_8u322b06.tar.gz"
 	;;
 	java11)
-		 echo "https://github.com/AdoptOpenJDK/openjdk11-binaries/releases/download/jdk-11.0.10%2B9/OpenJDK11U-jdk_x64_linux_hotspot_11.0.10_9.tar.gz"
+		 echo "https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.14.1%2B1/OpenJDK11U-jdk_x64_linux_hotspot_11.0.14.1_1.tar.gz"
 	;;
   *)
 		echo $"Unknown java version"

diff --git a/ci/pipeline.yml b/ci/pipeline.yml
@@ -48,7 +48,7 @@ resource_types:
   type: registry-image
   source:
     repository: springio/artifactory-resource
-    tag: 0.0.13
+    tag: 0.0.17
 - name: github-release
   type: registry-image
   source:

diff --git a/gradle.properties b/gradle.properties
@@ -1,4 +1,4 @@
-version=5.2.19.BUILD-SNAPSHOT
+version=5.2.20.RELEASE
 org.gradle.jvmargs=-Xmx1536M
 org.gradle.caching=true
 org.gradle.parallel=true
diff --git a/spring-beans/src/main/java/org/springframework/beans/CachedIntrospectionResults.java b/spring-beans/src/main/java/org/springframework/beans/CachedIntrospectionResults.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@
 import java.beans.IntrospectionException;
 import java.beans.Introspector;
 import java.beans.PropertyDescriptor;
+import java.security.ProtectionDomain;
 import java.util.Collections;
 import java.util.LinkedHashMap;
 import java.util.List;
@@ -281,9 +282,13 @@ private CachedIntrospectionResults(Class<?> beanClass) throws BeansException {
 			// This call is slow so we do it once.
 			PropertyDescriptor[] pds = this.beanInfo.getPropertyDescriptors();
 			for (PropertyDescriptor pd : pds) {
-				if (Class.class == beanClass &&
-						("classLoader".equals(pd.getName()) ||  "protectionDomain".equals(pd.getName()))) {
-					// Ignore Class.getClassLoader() and getProtectionDomain() methods - nobody needs to bind to those
+				if (Class.class == beanClass && (!"name".equals(pd.getName()) && !pd.getName().endsWith("Name"))) {
+					// Only allow all name variants of Class properties
+					continue;
+				}
+				if (pd.getPropertyType() != null && (ClassLoader.class.isAssignableFrom(pd.getPropertyType())
+						|| ProtectionDomain.class.isAssignableFrom(pd.getPropertyType()))) {
+					// Ignore ClassLoader and ProtectionDomain types - nobody needs to bind to those
 					continue;
 				}
 				if (logger.isTraceEnabled()) {
@@ -321,6 +326,11 @@ private void introspectInterfaces(Class<?> beanClass, Class<?> currClass) throws
 						// GenericTypeAwarePropertyDescriptor leniently resolves a set* write method
 						// against a declared read method, so we prefer read method descriptors here.
 						pd = buildGenericTypeAwarePropertyDescriptor(beanClass, pd);
+						if (pd.getPropertyType() != null && (ClassLoader.class.isAssignableFrom(pd.getPropertyType())
+								|| ProtectionDomain.class.isAssignableFrom(pd.getPropertyType()))) {
+							// Ignore ClassLoader and ProtectionDomain types - nobody needs to bind to those
+							continue;
+						}
 						this.propertyDescriptors.put(pd.getName(), pd);
 					}
 				}

diff --git a/spring-expression/src/main/java/org/springframework/expression/spel/SpelMessage.java b/spring-expression/src/main/java/org/springframework/expression/spel/SpelMessage.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,6 +31,7 @@
  *
  * @author Andy Clement
  * @author Juergen Hoeller
+ * @author Sam Brannen
  * @since 3.0
  */
 public enum SpelMessage {
@@ -255,7 +256,11 @@ public enum SpelMessage {
 
 	/** @since 4.3.17 */
 	FLAWED_PATTERN(Kind.ERROR, 1073,
-			"Failed to efficiently evaluate pattern ''{0}'': consider redesigning it");
+			"Failed to efficiently evaluate pattern ''{0}'': consider redesigning it"),
+
+	/** @since 5.2.20 */
+	MAX_ARRAY_ELEMENTS_THRESHOLD_EXCEEDED(Kind.ERROR, 1075,
+			"Array declares too many elements, exceeding the threshold of ''{0}''");
 
 
 	private final Kind kind;

diff --git a/...xpression/src/main/java/org/springframework/expression/spel/ast/ConstructorReference.java b/...xpression/src/main/java/org/springframework/expression/spel/ast/ConstructorReference.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,10 +53,18 @@
  *
  * @author Andy Clement
  * @author Juergen Hoeller
+ * @author Sam Brannen
  * @since 3.0
  */
 public class ConstructorReference extends SpelNodeImpl {
 
+	/**
+	 * Maximum number of elements permitted in an array declaration, applying
+	 * to one-dimensional as well as multi-dimensional arrays.
+	 * @since 5.2.20
+	 */
+	private static final int MAX_ARRAY_ELEMENTS = 256 * 1024; // 256K
+
 	private final boolean isArrayConstructor;
 
 	@Nullable
@@ -259,14 +267,19 @@ private TypedValue createArray(ExpressionState state) throws EvaluationException
 					// Shortcut for 1-dimensional
 					TypedValue o = this.dimensions[0].getTypedValue(state);
 					int arraySize = ExpressionUtils.toInt(typeConverter, o);
+					checkNumElements(arraySize);
 					newArray = Array.newInstance(componentType, arraySize);
 				}
 				else {
 					// Multi-dimensional - hold onto your hat!
 					int[] dims = new int[this.dimensions.length];
+					long numElements = 1;
 					for (int d = 0; d < this.dimensions.length; d++) {
 						TypedValue o = this.dimensions[d].getTypedValue(state);
-						dims[d] = ExpressionUtils.toInt(typeConverter, o);
+						int arraySize = ExpressionUtils.toInt(typeConverter, o);
+						dims[d] = arraySize;
+						numElements *= arraySize;
+						checkNumElements(numElements);
 					}
 					newArray = Array.newInstance(componentType, dims);
 				}
@@ -327,6 +340,13 @@ else if (arrayTypeCode == TypeCode.SHORT) {
 		return new TypedValue(newArray);
 	}
 
+	private void checkNumElements(long numElements) {
+		if (numElements >= MAX_ARRAY_ELEMENTS) {
+			throw new SpelEvaluationException(getStartPosition(),
+					SpelMessage.MAX_ARRAY_ELEMENTS_THRESHOLD_EXCEEDED, MAX_ARRAY_ELEMENTS);
+		}
+	}
+
 	private void populateReferenceTypeArray(ExpressionState state, Object newArray, TypeConverter typeConverter,
 			InlineList initializer, Class<?> componentType) {