aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas <>2022-03-31 13:00:02 +0200
committerThomas <>2022-03-31 13:18:22 +0200
commita35373663d66666d6af5bbe819c7e6bab6cf9989 (patch)
tree736bed0b6854879261759768aa05775f9f03867d
parenta5e47021055405237384137b0a54c6e4a7d6b43d (diff)
downloadNational_eIDAS_Gateway-a35373663d66666d6af5bbe819c7e6bab6cf9989.tar.gz
National_eIDAS_Gateway-a35373663d66666d6af5bbe819c7e6bab6cf9989.tar.bz2
National_eIDAS_Gateway-a35373663d66666d6af5bbe819c7e6bab6cf9989.zip
feature(core): add deny-list for Spring DataBinder
This mitigates possible RCE attacked called "Spring4Shell"
-rw-r--r--connector/src/main/resources/applicationContext.xml2
-rw-r--r--modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java33
2 files changed, 35 insertions, 0 deletions
diff --git a/connector/src/main/resources/applicationContext.xml b/connector/src/main/resources/applicationContext.xml
index ec8e79f4..5c5e245c 100644
--- a/connector/src/main/resources/applicationContext.xml
+++ b/connector/src/main/resources/applicationContext.xml
@@ -28,6 +28,8 @@
<bean id="springContextClosingHandler"
class="at.asitplus.eidas.specific.core.SpringContextCloseHandler" />
+ <bean class="at.asitplus.eidas.specific.core.controller.DataBinderControllerAdvice" />
+
<beans profile="deprecatedConfig">
<bean id="BasicMSSpecificNodeConfig"
class="at.asitplus.eidas.specific.core.config.BasicConfigurationProvider">
diff --git a/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java
new file mode 100644
index 00000000..0d983c16
--- /dev/null
+++ b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java
@@ -0,0 +1,33 @@
+package at.asitplus.eidas.specific.core.controller;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.core.annotation.Order;
+import org.springframework.validation.DataBinder;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.InitBinder;
+
+import lombok.extern.slf4j.Slf4j;
+
+@ControllerAdvice
+@Order(10000)
+@Slf4j
+public class DataBinderControllerAdvice {
+
+ private static String[] DENYLIST = new String[] { "class.*", "Class.*", "*.class.*", "*.Class.*" };
+
+ /**
+ * Set list of form parameters that are disallowed by default.
+ *
+ * @param dataBinder Spring {@link DataBinder} implementation
+ */
+ @InitBinder
+ public void setDisallowedFields(WebDataBinder dataBinder) {
+ // This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell").
+ // By applying this mitigation, you prevent the "Class Loader Manipulation attack vector from firing.
+ // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
+ dataBinder.setDisallowedFields(DENYLIST);
+ log.info("Set denyList for Spring DataBinder: {}", StringUtils.join(DENYLIST, ","));
+
+ }
+}