diff options
| author | Thomas <> | 2022-03-31 13:00:02 +0200 |
|---|---|---|
| committer | Thomas <> | 2022-03-31 13:18:22 +0200 |
| commit | a35373663d66666d6af5bbe819c7e6bab6cf9989 (patch) | |
| tree | 736bed0b6854879261759768aa05775f9f03867d | |
| parent | a5e47021055405237384137b0a54c6e4a7d6b43d (diff) | |
| download | National_eIDAS_Gateway-a35373663d66666d6af5bbe819c7e6bab6cf9989.tar.gz National_eIDAS_Gateway-a35373663d66666d6af5bbe819c7e6bab6cf9989.tar.bz2 National_eIDAS_Gateway-a35373663d66666d6af5bbe819c7e6bab6cf9989.zip | |
feature(core): add deny-list for Spring DataBinder
This mitigates possible RCE attacked called "Spring4Shell"
| -rw-r--r-- | connector/src/main/resources/applicationContext.xml | 2 | ||||
| -rw-r--r-- | modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java | 33 |
2 files changed, 35 insertions, 0 deletions
diff --git a/connector/src/main/resources/applicationContext.xml b/connector/src/main/resources/applicationContext.xml index ec8e79f4..5c5e245c 100644 --- a/connector/src/main/resources/applicationContext.xml +++ b/connector/src/main/resources/applicationContext.xml @@ -28,6 +28,8 @@ <bean id="springContextClosingHandler" class="at.asitplus.eidas.specific.core.SpringContextCloseHandler" /> + <bean class="at.asitplus.eidas.specific.core.controller.DataBinderControllerAdvice" /> + <beans profile="deprecatedConfig"> <bean id="BasicMSSpecificNodeConfig" class="at.asitplus.eidas.specific.core.config.BasicConfigurationProvider"> diff --git a/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java new file mode 100644 index 00000000..0d983c16 --- /dev/null +++ b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java @@ -0,0 +1,33 @@ +package at.asitplus.eidas.specific.core.controller; + +import org.apache.commons.lang3.StringUtils; +import org.springframework.core.annotation.Order; +import org.springframework.validation.DataBinder; +import org.springframework.web.bind.WebDataBinder; +import org.springframework.web.bind.annotation.ControllerAdvice; +import org.springframework.web.bind.annotation.InitBinder; + +import lombok.extern.slf4j.Slf4j; + +@ControllerAdvice +@Order(10000) +@Slf4j +public class DataBinderControllerAdvice { + + private static String[] DENYLIST = new String[] { "class.*", "Class.*", "*.class.*", "*.Class.*" }; + + /** + * Set list of form parameters that are disallowed by default. + * + * @param dataBinder Spring {@link DataBinder} implementation + */ + @InitBinder + public void setDisallowedFields(WebDataBinder dataBinder) { + // This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell"). + // By applying this mitigation, you prevent the "Class Loader Manipulation attack vector from firing. + // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/ + dataBinder.setDisallowedFields(DENYLIST); + log.info("Set denyList for Spring DataBinder: {}", StringUtils.join(DENYLIST, ",")); + + } +} |