package at.asitplus.eidas.specific.core.controller;

import org.apache.commons.lang3.StringUtils;
import org.springframework.core.annotation.Order;
import org.springframework.validation.DataBinder;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;

import lombok.extern.slf4j.Slf4j;

@ControllerAdvice
@Order(10000)
@Slf4j
public class DataBinderControllerAdvice {

  private static String[] DENYLIST = new String[] { "class.*", "Class.*", "*.class.*", "*.Class.*" };
  
  /**
   * Set list of form parameters that are disallowed by default.
   * 
   * @param dataBinder Spring {@link DataBinder} implementation
   */
  @InitBinder
  public void setDisallowedFields(WebDataBinder dataBinder) {
    // This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell").
    // By applying this mitigation, you prevent the "Class Loader Manipulation attack vector from firing.
    // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/    
    dataBinder.setDisallowedFields(DENYLIST);
    log.trace("Set denyList for Spring DataBinder: {}", StringUtils.join(DENYLIST, ","));

  }
}