diff options
| author | Thomas <> | 2022-03-31 14:34:18 +0200 | 
|---|---|---|
| committer | Thomas <> | 2022-03-31 14:34:18 +0200 | 
| commit | 5629b8bee9c7d3bc78386461f1b9026a5009fded (patch) | |
| tree | 1f1480f9ce714a4080daed055a6f0edaebdce726 /eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf | |
| parent | 1beb1609bfd26c1ac0988087714c65d53ca6d122 (diff) | |
| download | EAAF-Components-5629b8bee9c7d3bc78386461f1b9026a5009fded.tar.gz EAAF-Components-5629b8bee9c7d3bc78386461f1b9026a5009fded.tar.bz2 EAAF-Components-5629b8bee9c7d3bc78386461f1b9026a5009fded.zip | |
chore(core): add log message to DataBinderControllerAdvice -> setDisallowedFields
Diffstat (limited to 'eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf')
| -rw-r--r-- | eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java | 12 | 
1 files changed, 9 insertions, 3 deletions
| diff --git a/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java b/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java index 43f37a59..00cecaf2 100644 --- a/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java +++ b/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java @@ -1,15 +1,21 @@  package at.gv.egiz.eaaf.utils.springboot.utils; +import org.apache.commons.lang3.StringUtils;  import org.springframework.core.annotation.Order;  import org.springframework.validation.DataBinder;  import org.springframework.web.bind.WebDataBinder;  import org.springframework.web.bind.annotation.ControllerAdvice;  import org.springframework.web.bind.annotation.InitBinder; +import lombok.extern.slf4j.Slf4j; +  @ControllerAdvice  @Order(10000) +@Slf4j  public class DataBinderControllerAdvice { +  private static String[] DENYLIST = new String[] { "class.*", "Class.*", "*.class.*", "*.Class.*" }; +      /**     * Set list of form parameters that are disallowed by default.     *  @@ -19,9 +25,9 @@ public class DataBinderControllerAdvice {    public void setDisallowedFields(WebDataBinder dataBinder) {      // This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell").      // By applying this mitigation, you prevent the "Class Loader Manipulation attack vector from firing. -    // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/ -    final String[] denylist = new String[] { "class.*", "Class.*", "*.class.*", "*.Class.*" }; -    dataBinder.setDisallowedFields(denylist); +    // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/     +    dataBinder.setDisallowedFields(DENYLIST); +    log.trace("Set denyList for Spring DataBinder: {}", StringUtils.join(DENYLIST, ","));    }  } | 
