From 5629b8bee9c7d3bc78386461f1b9026a5009fded Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Thu, 31 Mar 2022 14:34:18 +0200
Subject: chore(core): add log message to DataBinderControllerAdvice ->
 setDisallowedFields

---
 .../utils/springboot/utils/DataBinderControllerAdvice.java   | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java b/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java
index 43f37a59..00cecaf2 100644
--- a/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java
+++ b/eaaf-springboot-utils/src/main/java/at/gv/egiz/eaaf/utils/springboot/utils/DataBinderControllerAdvice.java
@@ -1,15 +1,21 @@
 package at.gv.egiz.eaaf.utils.springboot.utils;
 
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.core.annotation.Order;
 import org.springframework.validation.DataBinder;
 import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.ControllerAdvice;
 import org.springframework.web.bind.annotation.InitBinder;
 
+import lombok.extern.slf4j.Slf4j;
+
 @ControllerAdvice
 @Order(10000)
+@Slf4j
 public class DataBinderControllerAdvice {
 
+  private static String[] DENYLIST = new String[] { "class.*", "Class.*", "*.class.*", "*.Class.*" };
+  
   /**
    * Set list of form parameters that are disallowed by default.
    * 
@@ -19,9 +25,9 @@ public class DataBinderControllerAdvice {
   public void setDisallowedFields(WebDataBinder dataBinder) {
     // This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell").
     // By applying this mitigation, you prevent the "Class Loader Manipulation attack vector from firing.
-    // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
-    final String[] denylist = new String[] { "class.*", "Class.*", "*.class.*", "*.Class.*" };
-    dataBinder.setDisallowedFields(denylist);
+    // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/    
+    dataBinder.setDisallowedFields(DENYLIST);
+    log.trace("Set denyList for Spring DataBinder: {}", StringUtils.join(DENYLIST, ","));
 
   }
 }
-- 
cgit v1.2.3