From 5629b8bee9c7d3bc78386461f1b9026a5009fded Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Thu, 31 Mar 2022 14:34:18 +0200 Subject: chore(core): add log message to DataBinderControllerAdvice -> setDisallowedFields --- .../utils/springboot/utils/DataBinderControllerAdvice.java | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java b/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java index 43f37a59..00cecaf2 100644 --- a/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java +++ b/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java @@ -1,15 +1,21 @@ package at.gv.egiz.eaaf.utils.springboot.utils; +import org.apache.commons.lang3.StringUtils; import org.springframework.core.annotation.Order; import org.springframework.validation.DataBinder; import org.springframework.web.bind.WebDataBinder; import org.springframework.web.bind.annotation.ControllerAdvice; import org.springframework.web.bind.annotation.InitBinder; +import lombok.extern.slf4j.Slf4j; + @ControllerAdvice @Order(10000) +@Slf4j public class DataBinderControllerAdvice { + private static String[] DENYLIST = new String[] { "class.*", "Class.*", "*.class.*", "*.Class.*" }; + /** * Set list of form parameters that are disallowed by default. * @@ -19,9 +25,9 @@ public class DataBinderControllerAdvice { public void setDisallowedFields(WebDataBinder dataBinder) { // This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell"). // By applying this mitigation, you prevent the "Class Loader Manipulation attack vector from firing. - // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/ - final String[] denylist = new String[] { "class.*", "Class.*", "*.class.*", "*.Class.*" }; - dataBinder.setDisallowedFields(denylist); + // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/ + dataBinder.setDisallowedFields(DENYLIST); + log.trace("Set denyList for Spring DataBinder: {}", StringUtils.join(DENYLIST, ",")); } } -- cgit v1.2.3