diff options
author | Thomas <> | 2022-03-31 11:40:59 +0200 |
---|---|---|
committer | Thomas <> | 2022-03-31 11:40:59 +0200 |
commit | bb7d93d64e05ca0ee982205d996c25dfe60887b1 (patch) | |
tree | ae9e74ff29dc305c91a7c48c435c780151b941bf /eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf | |
parent | a27486899dcabd12623c645c481b98a4817a05ed (diff) | |
download | EAAF-Components-bb7d93d64e05ca0ee982205d996c25dfe60887b1.tar.gz EAAF-Components-bb7d93d64e05ca0ee982205d996c25dfe60887b1.tar.bz2 EAAF-Components-bb7d93d64e05ca0ee982205d996c25dfe60887b1.zip |
feature(spring): add Spring controller advice to set default set of disallowed files for DataBinder
This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell").This is a midigation for
For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
Diffstat (limited to 'eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf')
-rw-r--r-- | eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java b/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java new file mode 100644 index 00000000..43f37a59 --- /dev/null +++ b/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java @@ -0,0 +1,27 @@ +package at.gv.egiz.eaaf.utils.springboot.utils; + +import org.springframework.core.annotation.Order; +import org.springframework.validation.DataBinder; +import org.springframework.web.bind.WebDataBinder; +import org.springframework.web.bind.annotation.ControllerAdvice; +import org.springframework.web.bind.annotation.InitBinder; + +@ControllerAdvice +@Order(10000) +public class DataBinderControllerAdvice { + + /** + * Set list of form parameters that are disallowed by default. + * + * @param dataBinder Spring {@link DataBinder} implementation + */ + @InitBinder + public void setDisallowedFields(WebDataBinder dataBinder) { + // This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell"). + // By applying this mitigation, you prevent the "Class Loader Manipulation attack vector from firing. + // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/ + final String[] denylist = new String[] { "class.*", "Class.*", "*.class.*", "*.Class.*" }; + dataBinder.setDisallowedFields(denylist); + + } +} |