Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make maximum length of SpEL expressions in an ApplicationContext configurable #31952

Closed
bencehornak opened this issue Jan 5, 2024 · 2 comments
Closed

Make maximum length of SpEL expressions in an ApplicationContext configurable #31952

bencehornak opened this issue Jan 5, 2024 · 2 comments
Assignees
@sbrannen
Labels
in: core Issues in core modules (aop, beans, core, context, expression) type: enhancement A general enhancement
Milestone
6.1.3

Comments

@bencehornak
Copy link

Affects: Spring Framework 5.2.24+

Background

Since #30325 (implemented in b73f5fc) the length of SpEL expressions is limited by default to 10000. As I understand it this is a mitigation against potential ReDoS exploits. However, in some cases this limitation is too low and prevents upgrading to recent Spring Framework versions.

While #30380 (implemented in aefcb9d) adds support for a custom maximumExpressionLength the feature is only accessible if one instantiates the SpelParserConfiguration class themselves.

In my case I would like to configure the SpelParserConfiguration created in the class StandardBeanExpressionResolver to accept my very long property by raising the maximumExpressionLength to a higher value than its default (10000).

spring-framework/spring-context/src/main/java/org/springframework/context/expression/StandardBeanExpressionResolver.java

Lines 91 to 105 in 0709797

/**
* Create a new {@code StandardBeanExpressionResolver} with default settings.
*/
public StandardBeanExpressionResolver() {
this.expressionParser = new SpelExpressionParser();
}
/**
* Create a new {@code StandardBeanExpressionResolver} with the given bean class loader,
* using it as the basis for expression compilation.
* @param beanClassLoader the factory's bean class loader
*/
public StandardBeanExpressionResolver(@Nullable ClassLoader beanClassLoader) {
this.expressionParser = new SpelExpressionParser(new SpelParserConfiguration(null, beanClassLoader));
}

Use case

I've got a huge map in my config:

myproperty={\
  a: {\
    x: { host: '10.1.1.1', port: 1234 },\
    y: { host: '10.1.1.1', port: 1234 },\
    z: { host: '10.1.1.1', port: 1234 }\
  },\
  b: {\
    x: { host: '10.1.1.1', port: 1234 },\
    y: { host: '10.1.1.1', port: 1234 },\
    z: { host: '10.1.1.1', port: 1234 }\
  },\
  c: {\
    x: { host: '10.1.1.1', port: 1234 },\
    y: { host: '10.1.1.1', port: 1234 },\
    z: { host: '10.1.1.1', port: 1234 }\
  },\
  # and so on, altogether 15000 characters
}

It is used by a property:

@Value("#{${myproperty}}")
private Map<String, Map<String,Map<String,String>>> myproperty;

If I try to start my application I get the following exception:

org.springframework.expression.spel.SpelEvaluationException: EL1079E: SpEL expression is too long, exceeding the threshold of '10,000' characters"}}

Proposal

Make the parameter maximumExpressionLength of SpelParserConfiguration configurable when it is instantiated in StandardBeanExpressionResolver.java (see the snippet above). Example (not sure what a conformant property name would be):

spring.standardBeanExpressionResolver.maximumExpressionLength=20000
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Jan 5, 2024
@sbrannen sbrannen added the in: core Issues in core modules (aop, beans, core, context, expression) label Jan 5, 2024
@sbrannen sbrannen changed the title Make maximum SpEL expression length configurable for StandardBeanExpressionResolver Make maximum SpEL expression length configurable for StandardBeanExpressionResolver Jan 5, 2024
@sbrannen sbrannen added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Jan 8, 2024
@sbrannen sbrannen self-assigned this Jan 8, 2024
@sbrannen
Copy link
Member

sbrannen commented Jan 8, 2024
edited

I've discussed this with @jhoeller, and we've decided to make the maximum expression length configurable via a System/Spring property named spring.context.expression.maxLength.

The plan is to have StandardBeanExpressionResolver constructors honor this property when present.

@sbrannen sbrannen added this to the 6.1.3 milestone Jan 8, 2024
@bencehornak
Copy link
Author

Awesome, thanks!!

@bencehornak bencehornak mentioned this issue Jan 9, 2024
Closed
@sbrannen sbrannen changed the title Make maximum SpEL expression length configurable for StandardBeanExpressionResolver Make maximum length of SpEL expressions in an ApplicationContext configurable Jan 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sbrannen sbrannen

Labels
in: core Issues in core modules (aop, beans, core, context, expression) type: enhancement A general enhancement
Projects
None yet
Milestone
6.1.3
Development

Successfully merging a pull request may close this issue.

Add spring.context.expression.maxLength property bencehornak/spring-framework
3 participants
@sbrannen @bencehornak @spring-projects-issues