Recommendation¶

The general recommendation is to avoid evaluating untrusted ONGL expressions. If user-provided OGNL expressions must be evaluated, do this in a sandbox and validate the expressions before evaluation.

Example¶

In the following examples, the code accepts an OGNL expression from the user and evaluates it.

In the first example, the user-provided OGNL expression is parsed and evaluated.

The second example validates the expression and evaluates it inside a sandbox. You can add a sandbox by setting a system property, as shown in the example, or by adding-Dognl.security.manager to JVM arguments.

importognl.Ognl;importognl.OgnlException;publicvoidevaluate(HttpServletRequestrequest,Objectroot)throwsOgnlException{Stringexpression=request.getParameter("expression");// BAD: User provided expression is evaluatedOgnl.getValue(expression,root);// GOOD: The name is validated and expression is evaluated in sandboxSystem.setProperty("ognl.security.manager","");// Or add -Dognl.security.manager to JVM argsif(isValid(expression)){Ognl.getValue(expression,root);}else{// Reject the request}}publicvoidisValid(Strigexpression){// Custom method to validate the expression.// For instance, make sure it doesn't include unexpected code.}

References¶

• Apache Commons:Apache Commons OGNL.

• Struts security:Proactively protect from OGNL Expression Injections attacks.

• Common Weakness Enumeration:CWE-917.