summaryrefslogtreecommitdiff
path: root/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java
diff options
context:
space:
mode:
Diffstat (limited to 'eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java')
-rw-r--r--eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java12
1 files changed, 9 insertions, 3 deletions
diff --git a/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java b/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java
index 43f37a59..00cecaf2 100644
--- a/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java
+++ b/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java
@@ -1,15 +1,21 @@
package at.gv.egiz.eaaf.utils.springboot.utils;
+import org.apache.commons.lang3.StringUtils;
import org.springframework.core.annotation.Order;
import org.springframework.validation.DataBinder;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
+import lombok.extern.slf4j.Slf4j;
+
@ControllerAdvice
@Order(10000)
+@Slf4j
public class DataBinderControllerAdvice {
+ private static String[] DENYLIST = new String[] { "class.*", "Class.*", "*.class.*", "*.Class.*" };
+
/**
* Set list of form parameters that are disallowed by default.
*
@@ -19,9 +25,9 @@ public class DataBinderControllerAdvice {
public void setDisallowedFields(WebDataBinder dataBinder) {
// This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell").
// By applying this mitigation, you prevent the "Class Loader Manipulation attack vector from firing.
- // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
- final String[] denylist = new String[] { "class.*", "Class.*", "*.class.*", "*.Class.*" };
- dataBinder.setDisallowedFields(denylist);
+ // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
+ dataBinder.setDisallowedFields(DENYLIST);
+ log.trace("Set denyList for Spring DataBinder: {}", StringUtils.join(DENYLIST, ","));
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-02 19:52:15 +0000