Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
363 views
in Technique[技术] by (71.8m points)

java - Sonar and findsecbugs Potential code injection when using Spring Expression

We have a spring-boot (2.4.2) application and an Aspect class that does some handling "Around" methods annotated with a custom annotation, defined by us, and using SpEL handling.

The SpEL expressions are defined as fields in the annotation, by us.

When running the Sonar tool, together with Findsecbugs, we are told that we have a vulnerability in the code, with the error "This use of org/springframework/expression/ExpressionParser.parseExpression(Ljava/lang/String;)Lorg/springframework/expression/Expression; could be vulnerable to code injection (Spring Expression)". The offending line is line 4 below:

1. private final ExpressionParser elParser = new SpelExpressionParser();
...
2. @Around(value = "@annotation(myCustomAnnotation)")
3. public Object aroundAdviceHandler(ProceedingJoinPoint joinPoint, MyCustomAnnotation myCustomAnnotation) throws Throwable {
  ...
  4. **Expression expression = elParser.parseExpression(myCustomAnnotation.entityId());**

The annotated code that uses this Aspect looks like:

@Transactional
@MyCustomAnnotation(entityId = "[0].id") // some other methods my have here only "[0]" or "[0].otherId"
public Long save(JustADto dto) {

And finally, the custom Annotation looks like:

@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME) public
@interface MyCustomAnnotation {
    String entityId() default "";
}

This code doesn't seem to have any vulnerability, because the input for the spring expression is provided by us. Is this a false positive by Findsecbugs? Is there any way to prevent the Sonar & Findsecbugs error from appearing, other than using the <@SuppressFBWarnings(value = {"SPEL_INJECTION"}, justification = "false positive")> annotation?

question from:https://stackoverflow.com/questions/66058688/sonar-and-findsecbugs-potential-code-injection-when-using-spring-expression

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...