summaryrefslogtreecommitdiff
path: root/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils
diff options
context:
space:
mode:
authorThomas <>2022-03-31 11:40:59 +0200
committerThomas <>2022-03-31 11:40:59 +0200
commitbb7d93d64e05ca0ee982205d996c25dfe60887b1 (patch)
treeae9e74ff29dc305c91a7c48c435c780151b941bf /eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils
parenta27486899dcabd12623c645c481b98a4817a05ed (diff)
downloadEAAF-Components-bb7d93d64e05ca0ee982205d996c25dfe60887b1.tar.gz
EAAF-Components-bb7d93d64e05ca0ee982205d996c25dfe60887b1.tar.bz2
EAAF-Components-bb7d93d64e05ca0ee982205d996c25dfe60887b1.zip
feature(spring): add Spring controller advice to set default set of disallowed files for DataBinder
This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell").This is a midigation for For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
Diffstat (limited to 'eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils')
-rw-r--r--eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java27
1 files changed, 27 insertions, 0 deletions
diff --git a/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java b/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java
new file mode 100644
index 00000000..43f37a59
--- /dev/null
+++ b/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java
@@ -0,0 +1,27 @@
+package at.gv.egiz.eaaf.utils.springboot.utils;
+
+import org.springframework.core.annotation.Order;
+import org.springframework.validation.DataBinder;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.InitBinder;
+
+@ControllerAdvice
+@Order(10000)
+public class DataBinderControllerAdvice {
+
+ /**
+ * Set list of form parameters that are disallowed by default.
+ *
+ * @param dataBinder Spring {@link DataBinder} implementation
+ */
+ @InitBinder
+ public void setDisallowedFields(WebDataBinder dataBinder) {
+ // This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell").
+ // By applying this mitigation, you prevent the "Class Loader Manipulation attack vector from firing.
+ // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
+ final String[] denylist = new String[] { "class.*", "Class.*", "*.class.*", "*.Class.*" };
+ dataBinder.setDisallowedFields(denylist);
+
+ }
+}