Last active
April 14, 2021 08:06
-
-
Save artem-smotrakov/e2a76babb90de87d3646b3a501521ed3 to your computer and use it in GitHub Desktop.
Restricting Jakarta EL expressions to avoid RCE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
void handle(HttpRequest request) { | |
if (request.hasParameter("questionToBackend")) { | |
String input = request.getParameter("questionToBackend")); | |
String pattern = "(inside|outside)\\.(temperature|humidity)"; | |
if (!input.matches(pattern)) { | |
throw new IllegalArgumentException("Unexpected expression"); | |
} | |
String expression = "${" + input + "}"; | |
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl(); | |
ELContext context = new de.odysseus.el.util.SimpleContext(); | |
ValueExpression e = factory.createValueExpression(context, expression, Object.class); | |
Object object = e.getValue(context); | |
handleResult(object); | |
} else { | |
callNextHandler(request); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment