-
Notifications
You must be signed in to change notification settings - Fork 29
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into BUILD-4733
- Loading branch information
Showing
3 changed files
with
58 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| == How to fix it in JSP | ||
|
|
||
| === Code examples | ||
|
|
||
| The following code is vulnerable to arbitrary code execution because it compiles | ||
| and runs HTTP data. | ||
|
|
||
| ==== Noncompliant code example | ||
|
|
||
| [source,java,diff-id=21,diff-type=noncompliant] | ||
| ---- | ||
| <%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %> | ||
| <spring:eval expression="${tainted}" var="result"/> | ||
| ---- | ||
|
|
||
| ==== Compliant solution | ||
|
|
||
| It is not possible to securely include user input in a SpEL expression inside of | ||
| the template. Evaluate the expression in the controller and pass the result to | ||
| the template instead. | ||
|
|
||
| [source,java,diff-id=21,diff-type=compliant] | ||
| ---- | ||
| import org.springframework.expression.Expression; | ||
| import org.springframework.expression.ExpressionParser; | ||
| import org.springframework.expression.spel.standard.SpelExpressionParser; | ||
| import org.springframework.ui.Model; | ||
| @Controller | ||
| public class ExampleController | ||
| { | ||
| @GetMapping(value = "/") | ||
| public void exec(@RequestParam("message") String message, Model model) { | ||
| StandardEvaluationContext evaluationContext = new StandardEvaluationContext(); | ||
| evaluationContext.setVariable("msg", message); | ||
| ExpressionParser parser = new SpelExpressionParser(); | ||
| Expression exp = parser.parseExpression("#msg"); | ||
| String result = (String) exp.getValue(evaluationContext); | ||
| model.addAttribute("result", result); | ||
| } | ||
| } | ||
| ---- | ||
|
|
||
| === How does this work? | ||
|
|
||
| include::../../common/fix/introduction.adoc[] | ||
|
|
||
| include::../../common/fix/parameters.adoc[] | ||
|
|
||
| The compliant code example uses such an approach. | ||
|
|
||
| include::../../common/fix/allowlist.adoc[] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -22,6 +22,9 @@ | |
| "5.1.4", | ||
| "5.2.4", | ||
| "5.5.4" | ||
| ], | ||
| "STIG ASD 2023-06-08": [ | ||
| "V-222609" | ||
| ] | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters