From 942fb62a525ca49dfd1845a309d9cbc76d612c17 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Thu, 17 Mar 2022 08:09:55 +0100
Subject: build(core): switch to next snapshot version

---
 modules/core_common_webapp/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules/core_common_webapp')

diff --git a/modules/core_common_webapp/pom.xml b/modules/core_common_webapp/pom.xml
index b36153e6..a7090761 100644
--- a/modules/core_common_webapp/pom.xml
+++ b/modules/core_common_webapp/pom.xml
@@ -3,7 +3,7 @@
   <parent>
     <groupId>at.asitplus.eidas.ms_specific</groupId>
     <artifactId>modules</artifactId>
-    <version>1.2.4-SNAPSHOT</version>
+    <version>1.3.0-SNAPSHOT</version>
   </parent>
   <artifactId>core_common_webapp</artifactId>
   <name>WebApplication commons</name>
-- 
cgit v1.2.3


From 1f76d31e8e8f5a7bc6cd5694b989955ddc2ddc58 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Thu, 31 Mar 2022 13:00:02 +0200
Subject: feature(core): add deny-list for Spring DataBinder

     This mitigates possible RCE attacked called "Spring4Shell"
---
 .../controller/DataBinderControllerAdvice.java     | 33 ++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java

(limited to 'modules/core_common_webapp')

diff --git a/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java
new file mode 100644
index 00000000..0d983c16
--- /dev/null
+++ b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java
@@ -0,0 +1,33 @@
+package at.asitplus.eidas.specific.core.controller;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.core.annotation.Order;
+import org.springframework.validation.DataBinder;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.InitBinder;
+
+import lombok.extern.slf4j.Slf4j;
+
+@ControllerAdvice
+@Order(10000)
+@Slf4j
+public class DataBinderControllerAdvice {
+
+  private static String[] DENYLIST = new String[] { "class.*", "Class.*", "*.class.*", "*.Class.*" };
+  
+  /**
+   * Set list of form parameters that are disallowed by default.
+   * 
+   * @param dataBinder Spring {@link DataBinder} implementation
+   */
+  @InitBinder
+  public void setDisallowedFields(WebDataBinder dataBinder) {
+    // This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell").
+    // By applying this mitigation, you prevent the "Class Loader Manipulation attack vector from firing.
+    // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/    
+    dataBinder.setDisallowedFields(DENYLIST);
+    log.info("Set denyList for Spring DataBinder: {}", StringUtils.join(DENYLIST, ","));
+
+  }
+}
-- 
cgit v1.2.3


From deb287570c9248b9cf39af981a976c335f434b84 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Thu, 31 Mar 2022 14:36:02 +0200
Subject: chore(core): change log-level in 'DataBinderControllerAdvice'

---
 .../eidas/specific/core/controller/DataBinderControllerAdvice.java      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules/core_common_webapp')

diff --git a/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java
index 0d983c16..e69826d0 100644
--- a/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java
+++ b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/controller/DataBinderControllerAdvice.java
@@ -27,7 +27,7 @@ public class DataBinderControllerAdvice {
     // By applying this mitigation, you prevent the "Class Loader Manipulation attack vector from firing.
     // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/    
     dataBinder.setDisallowedFields(DENYLIST);
-    log.info("Set denyList for Spring DataBinder: {}", StringUtils.join(DENYLIST, ","));
+    log.trace("Set denyList for Spring DataBinder: {}", StringUtils.join(DENYLIST, ","));
 
   }
 }
-- 
cgit v1.2.3


From ecc1dd834c5af467a5aa0f77e5dc6d986c6af418 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Tue, 5 Apr 2022 08:59:31 +0200
Subject: build(core): switch to new snapshot version

---
 modules/core_common_webapp/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules/core_common_webapp')

diff --git a/modules/core_common_webapp/pom.xml b/modules/core_common_webapp/pom.xml
index a7090761..a7efdf15 100644
--- a/modules/core_common_webapp/pom.xml
+++ b/modules/core_common_webapp/pom.xml
@@ -3,7 +3,7 @@
   <parent>
     <groupId>at.asitplus.eidas.ms_specific</groupId>
     <artifactId>modules</artifactId>
-    <version>1.3.0-SNAPSHOT</version>
+    <version>1.2.5-SNAPSHOT</version>
   </parent>
   <artifactId>core_common_webapp</artifactId>
   <name>WebApplication commons</name>
-- 
cgit v1.2.3