Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit SpEL expression length #30325

Closed
bclozel opened this issue Apr 13, 2023 · 0 comments
Closed

Limit SpEL expression length #30325

bclozel opened this issue Apr 13, 2023 · 0 comments
Assignees
@sbrannen
Labels
in: core Issues in core modules (aop, beans, core, context, expression) status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement
Milestone
6.0.8

Comments

@bclozel
Copy link
Member

bclozel commented Apr 13, 2023

We should apply a limit to how large a SpEL expression can be.
@bclozel bclozel added in: core Issues in core modules (aop, beans, core, context, expression) type: enhancement A general enhancement labels Apr 13, 2023
@bclozel bclozel added this to the 6.0.8 milestone Apr 13, 2023
@github-actions github-actions bot added status: backported An issue that has been backported to maintenance branches and removed for: backport-to-5.3.x status: backported An issue that has been backported to maintenance branches labels Apr 13, 2023
@github-actions github-actions bot mentioned this issue Apr 13, 2023
Closed
@github-actions github-actions bot added the status: backported An issue that has been backported to maintenance branches label Apr 13, 2023
@github-actions github-actions bot mentioned this issue Apr 13, 2023
Closed
@sbrannen sbrannen mentioned this issue Apr 25, 2023
Closed
sbrannen added a commit to sbrannen/spring-framework that referenced this issue Apr 25, 2023
@sbrannen
Reject null and empty SpEL expressions
de113f1 
Prior to spring-projectsgh-30325, supplying a null reference for a SpEL expression was
effectively equivalent to supplying the String "null" as the
expression. Consequently, evaluation of a null reference expression
always evaluated to a null reference. However, that was accidental
rather than by design.

Due to the introduction of the checkExpressionLength(String) method in
InternalSpelExpressionParser (in conjunction with spring-projectsgh-30325), an attempt
to evaluate a null reference as a SpEL expression now results in a
NullPointerException.

To address both of these issues,
TemplateAwareExpressionParser.parseExpression() and
SpelExpressionParser.parseRaw() now reject null and empty SpEL
expressions.

Closes spring-projectsgh-30371
sbrannen added a commit that referenced this issue Apr 25, 2023
@sbrannen
Reject null and empty SpEL expressions
964950a 
Prior to gh-30325, supplying a null reference for a SpEL expression was
effectively equivalent to supplying the String "null" as the
expression. Consequently, evaluation of a null reference expression
always evaluated to a null reference. However, that was accidental
rather than by design.

Due to the introduction of the checkExpressionLength(String) method in
InternalSpelExpressionParser (in conjunction with gh-30325), an attempt
to evaluate a null reference as a SpEL expression now results in a
NullPointerException.

To address both of these issues,
TemplateAwareExpressionParser.parseExpression() and
SpelExpressionParser.parseRaw() now reject null and empty SpEL
expressions.

See gh-30371
Closes gh-30373
@oscardatastream oscardatastream mentioned this issue Apr 26, 2023
Open
@tpoeppke tpoeppke mentioned this issue May 25, 2023
Closed
@cxronen cxronen mentioned this issue May 25, 2023
Open
@diogopcx diogopcx mentioned this issue Jun 27, 2023
Open
@AASMACMX AASMACMX mentioned this issue Apr 26, 2023
Open
@cxronen cxronen mentioned this issue Jul 19, 2023
Open
@AASMACMX AASMACMX mentioned this issue Jul 20, 2023
Open
@apcxtest apcxtest mentioned this issue Aug 17, 2023
Closed
@cxronen cxronen mentioned this issue May 25, 2023
Open
@bencehornak bencehornak mentioned this issue Jan 5, 2024
Closed
@Sang140790 Sang140790 mentioned this issue Jun 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sbrannen sbrannen

Labels
in: core Issues in core modules (aop, beans, core, context, expression) status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement
Projects
None yet
Milestone
6.0.8
Development

No branches or pull requests
2 participants
@bclozel @sbrannen