Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable SpEL selector support in WebSocket messaging by default #30550

Closed
1 task done
sbrannen opened this issue May 25, 2023 · 2 comments
Closed
1 task done

Disable SpEL selector support in WebSocket messaging by default #30550

sbrannen opened this issue May 25, 2023 · 2 comments
Assignees
@sbrannen
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Milestone
6.1.0-M1

Comments

@sbrannen
Copy link
Member

sbrannen commented May 25, 2023
edited
Loading

Overview

In an effort to reduce the potential for security vulnerabilities in SpEL to adversely affect Spring applications, the team has decided to disable support for evaluating SpEL expressions from untrusted sources by default.

Within the core Spring Framework, this applies to the SpEL-based selector header support in WebSocket messaging, specifically in the DefaultSubscriptionRegistry.

The selector header support will remain in place but will have to be explicitly enabled beginning with Spring Framework 6.1.

We will also investigate alternative approaches to the selector header feature that do not involve SpEL, and we may later decide to deprecate the SpEL-based selector header support in favor of such an alternative.

Deliverables

  • Disable SpEL selector support in DefaultSubscriptionRegistry by default.
@sbrannen sbrannen added in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement labels May 25, 2023
@sbrannen sbrannen added this to the 6.1.0-M1 milestone May 25, 2023
@sbrannen sbrannen self-assigned this May 25, 2023
@Vishal1297

This comment was marked as outdated.

Sign in to view
@sbrannen

This comment was marked as outdated.

Sign in to view
@sbrannen sbrannen changed the title Disable SpEL selector support in DefaultSubscriptionRegistry by default Disable SpEL selector support in WebSocket messaging by default May 31, 2023
sbrannen added a commit that referenced this issue Jun 1, 2023
@sbrannen
Test status quo for SpEL 'selector' support in messaging
21397a6 
Prior to this commit, the tests we had in place for SpEL 'selector'
support did not assert what happens when a selector expression does not
match or when a selector header is not present.

See gh-30550
sbrannen added a commit that referenced this issue Jun 4, 2023
@sbrannen
Enhance unit tests for status quo for SpEL 'selector' support in mess…
cc50af0 
…aging

See gh-30550
sbrannen added a commit that referenced this issue Jun 4, 2023
@sbrannen
Integration test status quo for SpEL 'selector' support in messaging
2f35e77 
See gh-30550
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sbrannen sbrannen

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Projects
None yet
Milestone
6.1.0-M1
Development

No branches or pull requests
2 participants
@sbrannen @Vishal1297