Expression Language Injection
Description
The application is vulnerable to Expression Language Injection. Calling SpringFramework's `SpelExpressionParser.parseExpression` directly with user-supplied input may allow an adversary to execute arbitrary Java code, including OS system commands.
Examples
Insecure Code
java
SpelExpressionParser parser = new SpelExpressionParser();
Expression parsedExpression = parser.parseExpression(userInput);Secure Code
java
SpelExpressionParser parser = new SpelExpressionParser();
SimpleEvaluationContext context = SimpleEvaluationContext.forReadWriteDataBinding().build();
Expression parsedExpression = parser.parseExpression(unsafeData);
Object result = parsedExpression.getValue(context);Remediation
Use a `SimpleEvaluationContext` with a reduced set of functionality to restrict data binding to read-only or read-write contexts. Consider alternate methods such as a lookup table to take user input and resolve hardcoded values.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0720 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-917 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | Expression Language Injection, SpelExpressionParser |
| OWASP | A1:2017-Injection, A03:2021-Injection |