Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuration of QueryEngine for Map repositories #576

Closed
smurf667 opened this issue May 29, 2024 · 4 comments
Closed

Allow configuration of QueryEngine for Map repositories #576

smurf667 opened this issue May 29, 2024 · 4 comments
Assignees
@mp911de
Labels
type: enhancement A general enhancement
Milestone
3.3.1 (2024.0.1)

Comments

@smurf667
Copy link

Hello, our code started to fail with UncategorizedKeyValueException after upgrading to Spring Boot 3.3.0:

Exception in thread "main" org.springframework.data.keyvalue.core.UncategorizedKeyValueException: class java.lang.String cannot be cast to class java.util.function.Predicate (java.lang.String and java.util.function.Predicate are in module java.base of loader 'bootstrap')

It turns out that the SpelQueryEngine is no longer used by default (despite the documentation saying so according to my reading). Also, I don't know how to configure this engine.

I have an example project at https://github.com/smurf667/demo-keyvalue which demonstrates the issue. Run mvn spring-boot:run to see the exception. Uncomment the older version 3.2.6 to make this work.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 29, 2024
@mp911de
Copy link
Member

mp911de commented May 29, 2024

We intentionally switched to a Predicate-based query engine to avoid exploitation through SpEL. You can switch back to the SpEL query engine by utilizing a bit of reflection:

@Bean
KeyValueTemplate mapKeyValueTemplate() throws ReflectiveOperationException {

    Class<QueryEngine<? extends KeyValueAdapter, ?, ?>> spelQueryEngineClass = (Class) Class.forName("org.springframework.data.keyvalue.core.SpelQueryEngine");
    MapKeyValueAdapter adapter = new MapKeyValueAdapter(BeanUtils.instantiateClass(spelQueryEngineClass));

    return new KeyValueTemplate(adapter);
}

With the switch, we missed to update the documentation.

@mp911de mp911de added the for: team-attention An issue we need to discuss as a team to make progress label May 29, 2024
@smurf667
Copy link
Author

Thank you Mark. Speaking for us, we won't be using reflection and will switch our code so it uses the Predicate-based query engine, also to avoid any trouble with potential SpEL exploitation. If that engine should not be used, maybe deprecate and later remove it? If it may be used, then I suppose a better way than reflection ought to be possible, but that's just my opinion.

Thanks, feel free to close this issue, or use it as the vehicle to update the documentation.

@mp911de
Copy link
Member

mp911de commented May 29, 2024

I'm going to take the issue to the team. We might make the query engines public classes to offer some choice. Also, we need to consider how one would configure query engines.

SpEL isn't a bad choice, it is more that a Predicate-based approach is much safer for the default case in which we don't know whether queries can be supplied from untrusted sources.

@mp911de mp911de added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged for: team-attention An issue we need to discuss as a team to make progress labels Jun 3, 2024
@mp911de mp911de self-assigned this Jun 3, 2024
@mp911de
Copy link
Member

mp911de commented Jun 3, 2024

We are going to introduce means for configuring the Query Engine, likely through an QueryEngineFactory abstraction that can be configured through @EnableMapRepositories.

@mp911de mp911de changed the title New default QueryEngine since Spring Boot 3.3.0 - possible regression Allow configuration of QueryEngine for Map repositories Jun 4, 2024
mp911de added a commit that referenced this issue Jun 4, 2024
@mp911de
Allow configuration of QueryEngine for Map repositories.
64164d1 
EnableMapRepositories now accepts a QueryEngineFactory to configure the QueryEngine and allows configuring the QueryCreator.

Closes #576
@mp911de mp911de mentioned this issue Jun 4, 2024
Closed
christophstrobl pushed a commit that referenced this issue Jun 12, 2024
@mp911de @christophstrobl
Allow configuration of QueryEngine for Map repositories.
008e1e2 
EnableMapRepositories now accepts a QueryEngineFactory to configure the QueryEngine and allows configuring the QueryCreator.

Closes: #576
Original Pull Request: #577
@christophstrobl christophstrobl added this to the 3.3.1 (2024.0.1) milestone Jun 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mp911de mp911de

Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
3.3.1 (2024.0.1)
Development

Successfully merging a pull request may close this issue.

Allow configuration of QueryEngine for Map repositories spring-projects/spring-data-keyvalue
4 participants
@mp911de @christophstrobl @smurf667 @spring-projects-issues