Expression language injection (Spring)¶
ID: java/spel-expression-injectionKind: path-problemSecurity severity: 9.3Severity: errorPrecision: highTags: - security - external/cwe/cwe-094Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
The Spring Expression Language (SpEL) is a powerful expression language provided by the Spring Framework. The language offers many features including invocation of methods available in the JVM. If a SpEL expression is built using attacker-controlled data, and then evaluated in a powerful context, then it may allow the attacker to run arbitrary code.
TheSpelExpressionParser class parses a SpEL expression string and returns anExpression instance that can be then evaluated by calling one of its methods. By default, an expression is evaluated in a powerfulStandardEvaluationContext that allows the expression to access other methods available in the JVM.
Recommendation¶
In general, including user input in a SpEL expression should be avoided. If user input must be included in the expression, it should be then evaluated in a limited context that doesn’t allow arbitrary method invocation.
Example¶
The following example uses untrusted data to build a SpEL expression and then runs it in the default powerful context.
publicObjectevaluate(Socketsocket)throwsIOException{try(BufferedReaderreader=newBufferedReader(newInputStreamReader(socket.getInputStream()))){Stringstring=reader.readLine();ExpressionParserparser=newSpelExpressionParser();// BAD: string is controlled by the userExpressionexpression=parser.parseExpression(string);returnexpression.getValue();}}
The next example shows how an untrusted SpEL expression can be run inSimpleEvaluationContext that doesn’t allow accessing arbitrary methods. However, it’s recommended to avoid using untrusted input in SpEL expressions.
publicObjectevaluate(Socketsocket)throwsIOException{try(BufferedReaderreader=newBufferedReader(newInputStreamReader(socket.getInputStream()))){Stringstring=reader.readLine();ExpressionParserparser=newSpelExpressionParser();// AVOID: string is controlled by the userExpressionexpression=parser.parseExpression(string);SimpleEvaluationContextcontext=SimpleEvaluationContext.forReadWriteDataBinding().build();// OK: Untrusted expressions are evaluated in a restricted contextreturnexpression.getValue(context);}}
References¶
Spring Framework Reference Documentation:Spring Expression Language (SpEL).
Common Weakness Enumeration:CWE-94.