From 1f76d31e8e8f5a7bc6cd5694b989955ddc2ddc58 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Thu, 31 Mar 2022 13:00:02 +0200
Subject: feature(core): add deny-list for Spring DataBinder
This mitigates possible RCE attacked called "Spring4Shell"
---
.../src/main/resources/applicationContext.xml | 2 ++
.../controller/DataBinderControllerAdvice.java | 33 ++++++++++++++++++++++
2 files changed, 35 insertions(+)
create mode 100644 modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java
diff --git a/connector/src/main/resources/applicationContext.xml b/connector/src/main/resources/applicationContext.xml
index ec8e79f4..5c5e245c 100644
--- a/connector/src/main/resources/applicationContext.xml
+++ b/connector/src/main/resources/applicationContext.xml
@@ -28,6 +28,8 @@
+
+
diff --git a/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java
new file mode 100644
index 00000000..0d983c16
--- /dev/null
+++ b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java
@@ -0,0 +1,33 @@
+package at.asitplus.eidas.specific.core.controller;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.core.annotation.Order;
+import org.springframework.validation.DataBinder;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.InitBinder;
+
+import lombok.extern.slf4j.Slf4j;
+
+@ControllerAdvice
+@Order(10000)
+@Slf4j
+public class DataBinderControllerAdvice {
+
+ private static String[] DENYLIST = new String[] { "class.*", "Class.*", "*.class.*", "*.Class.*" };
+
+ /**
+ * Set list of form parameters that are disallowed by default.
+ *
+ * @param dataBinder Spring {@link DataBinder} implementation
+ */
+ @InitBinder
+ public void setDisallowedFields(WebDataBinder dataBinder) {
+ // This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell").
+ // By applying this mitigation, you prevent the "Class Loader Manipulation attack vector from firing.
+ // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
+ dataBinder.setDisallowedFields(DENYLIST);
+ log.info("Set denyList for Spring DataBinder: {}", StringUtils.join(DENYLIST, ","));
+
+ }
+}
--
cgit v1.2.3
From deb287570c9248b9cf39af981a976c335f434b84 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Thu, 31 Mar 2022 14:36:02 +0200
Subject: chore(core): change log-level in 'DataBinderControllerAdvice'
---
.../eidas/specific/core/controller/DataBinderControllerAdvice.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java
index 0d983c16..e69826d0 100644
--- a/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java
+++ b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java
@@ -27,7 +27,7 @@ public class DataBinderControllerAdvice {
// By applying this mitigation, you prevent the "Class Loader Manipulation attack vector from firing.
// For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
dataBinder.setDisallowedFields(DENYLIST);
- log.info("Set denyList for Spring DataBinder: {}", StringUtils.join(DENYLIST, ","));
+ log.trace("Set denyList for Spring DataBinder: {}", StringUtils.join(DENYLIST, ","));
}
}
--
cgit v1.2.3
From 9c732c794b99e1bd64efd584f5becaae76025de0 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Thu, 31 Mar 2022 14:38:17 +0200
Subject: refactor(core): remove deprecated operations on openSAML4 API
---
.../eidas/specific/connector/config/PvpEndPointConfiguration.java | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/config/PvpEndPointConfiguration.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/config/PvpEndPointConfiguration.java
index c62cbeef..81c37bd0 100644
--- a/connector/src/main/java/at/asitplus/eidas/specific/connector/config/PvpEndPointConfiguration.java
+++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/config/PvpEndPointConfiguration.java
@@ -89,11 +89,11 @@ public class PvpEndPointConfiguration implements IPvp2BasicConfiguration {
final SurName surname = Saml2Utils.createSamlObject(SurName.class);
final EmailAddress emailAddress = Saml2Utils.createSamlObject(EmailAddress.class);
- givenName.setName(getAndVerifyFromConfiguration(
+ givenName.setValue(getAndVerifyFromConfiguration(
MsEidasNodeConstants.CONFIG_PROPS_METADATA_CONTACT_GIVENNAME));
- surname.setName(getAndVerifyFromConfiguration(
+ surname.setValue(getAndVerifyFromConfiguration(
MsEidasNodeConstants.CONFIG_PROPS_METADATA_CONTACT_SURNAME));
- emailAddress.setAddress(getAndVerifyFromConfiguration(
+ emailAddress.setURI(getAndVerifyFromConfiguration(
MsEidasNodeConstants.CONFIG_PROPS_METADATA_CONTACT_EMAIL));
contactPerson.setType(ContactPersonTypeEnumeration.TECHNICAL);
@@ -121,7 +121,7 @@ public class PvpEndPointConfiguration implements IPvp2BasicConfiguration {
MsEidasNodeConstants.CONFIG_PROPS_METADATA_ORGANISATION_FRIENDLYNAME));
orgUrl.setXMLLang(DEFAULT_XML_LANG);
- orgUrl.setValue(getAndVerifyFromConfiguration(
+ orgUrl.setURI(getAndVerifyFromConfiguration(
MsEidasNodeConstants.CONFIG_PROPS_METADATA_ORGANISATION_URL));
--
cgit v1.2.3