Make maximum length of SpEL expressions in an `ApplicationContext` configurable #31952

bencehornak · 2024-01-05T09:42:04Z

Affects: Spring Framework 5.2.24+

Background

Since #30325 (implemented in b73f5fc) the length of SpEL expressions is limited by default to 10000. As I understand it this is a mitigation against potential ReDoS exploits. However, in some cases this limitation is too low and prevents upgrading to recent Spring Framework versions.

While #30380 (implemented in aefcb9d) adds support for a custom maximumExpressionLength the feature is only accessible if one instantiates the SpelParserConfiguration class themselves.

In my case I would like to configure the SpelParserConfiguration created in the class StandardBeanExpressionResolver to accept my very long property by raising the maximumExpressionLength to a higher value than its default (10000).

spring-framework/spring-context/src/main/java/org/springframework/context/expression/StandardBeanExpressionResolver.java

Lines 91 to 105 in 0709797

    
           	/** 
        
           	 * Create a new {@code StandardBeanExpressionResolver} with default settings. 
        
           	 */ 
        
           	public StandardBeanExpressionResolver() { 
        
           		this.expressionParser = new SpelExpressionParser(); 
        
           	} 
        
           	/** 
        
           	 * Create a new {@code StandardBeanExpressionResolver} with the given bean class loader, 
        
           	 * using it as the basis for expression compilation. 
        
           	 * @param beanClassLoader the factory's bean class loader 
        
           	 */ 
        
           	public StandardBeanExpressionResolver(@Nullable ClassLoader beanClassLoader) { 
        
           		this.expressionParser = new SpelExpressionParser(new SpelParserConfiguration(null, beanClassLoader)); 
        
           	}

Use case

I've got a huge map in my config:

myproperty={\
  a: {\
    x: { host: '10.1.1.1', port: 1234 },\
    y: { host: '10.1.1.1', port: 1234 },\
    z: { host: '10.1.1.1', port: 1234 }\
  },\
  b: {\
    x: { host: '10.1.1.1', port: 1234 },\
    y: { host: '10.1.1.1', port: 1234 },\
    z: { host: '10.1.1.1', port: 1234 }\
  },\
  c: {\
    x: { host: '10.1.1.1', port: 1234 },\
    y: { host: '10.1.1.1', port: 1234 },\
    z: { host: '10.1.1.1', port: 1234 }\
  },\
  # and so on, altogether 15000 characters
}

It is used by a property:

@Value("#{${myproperty}}")
private Map<String, Map<String,Map<String,String>>> myproperty;

If I try to start my application I get the following exception:

org.springframework.expression.spel.SpelEvaluationException: EL1079E: SpEL expression is too long, exceeding the threshold of '10,000' characters"}}

Proposal

Make the parameter maximumExpressionLength of SpelParserConfiguration configurable when it is instantiated in StandardBeanExpressionResolver.java (see the snippet above). Example (not sure what a conformant property name would be):

spring.standardBeanExpressionResolver.maximumExpressionLength=20000

The text was updated successfully, but these errors were encountered:

sbrannen · 2024-01-08T16:15:38Z

I've discussed this with @jhoeller, and we've decided to make the maximum expression length configurable via a System/Spring property named spring.context.expression.maxLength.

The plan is to have StandardBeanExpressionResolver constructors honor this property when present.

bencehornak · 2024-01-09T06:50:32Z

Awesome, thanks!!

…xpressions Spring Expression Lanuage (SpEL) has a default limit of 10,000 characters. Springframework provides the feature to configure the limit. This feature allows to configure the limit of characters for SpEL expressions. Approach: In order to use an expression with characters more than the given default limit, require to follow either of the below approaches: 1. For Springframework >=5.3.28 and <6.1.3, by setting `maximumExpressionLength` field while instantiating the custom `SpelParserConfiguration` class. spring-projects/spring-framework#30380 spring-projects/spring-framework#30446 2. For Springframework >=6.1.3, by setting a JVM system property or Spring property named `spring.context.expression.maxLength` to the maximum expression length needed by your application. spring-projects/spring-framework#31952 spring-projects/spring-framework@7855986 Spinnaker supports spring boot 2.7.18, that brings springframework 5.3.31 [https://docs.spring.io/spring-boot/docs/2.7.18/reference/html/dependency-versions.html#appendix.dependency-versions.propertie9]. So first approach need to be implemented along with spinnaker enhancement to expose the `maximumExpressionLength` field.

…xpressions (#1193) Spring Expression Lanuage (SpEL) has a default limit of 10,000 characters. Springframework provides the feature to configure the limit. This feature allows to configure the limit of characters for SpEL expressions. Approach: In order to use an expression with characters more than the given default limit, require to follow either of the below approaches: 1. For Springframework >=5.3.28 and <6.1.3, by setting `maximumExpressionLength` field while instantiating the custom `SpelParserConfiguration` class. spring-projects/spring-framework#30380 spring-projects/spring-framework#30446 2. For Springframework >=6.1.3, by setting a JVM system property or Spring property named `spring.context.expression.maxLength` to the maximum expression length needed by your application. spring-projects/spring-framework#31952 spring-projects/spring-framework@7855986 Spinnaker supports spring boot 2.7.18, that brings springframework 5.3.31 [https://docs.spring.io/spring-boot/docs/2.7.18/reference/html/dependency-versions.html#appendix.dependency-versions.propertie9]. So first approach need to be implemented along with spinnaker enhancement to expose the `maximumExpressionLength` field. Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

…xpressions (#4755) Spring Expression Lanuage (SpEL) has a default limit of 10,000 characters. Springframework provides the feature to configure the limit. This feature allows to configure the limit of characters for SpEL expressions. Approach: In order to use an expression with characters more than the given default limit, require to follow either of the below approaches: 1. For Springframework >=5.3.28 and <6.1.3, by setting `maximumExpressionLength` field while instantiating the custom `SpelParserConfiguration` class. spring-projects/spring-framework#30380 spring-projects/spring-framework#30446 2. For Springframework >=6.1.3, by setting a JVM system property or Spring property named `spring.context.expression.maxLength` to the maximum expression length needed by your application. spring-projects/spring-framework#31952 spring-projects/spring-framework@7855986 Spinnaker supports spring boot 2.7.18, that brings springframework 5.3.31 [https://docs.spring.io/spring-boot/docs/2.7.18/reference/html/dependency-versions.html#appendix.dependency-versions.propertie9]. So first approach need to be implemented along with spinnaker enhancement to expose the `maximumExpressionLength` field. Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

…xpressions (#1429) Spring Expression Lanuage (SpEL) has a default limit of 10,000 characters. Springframework provides the feature to configure the limit. This feature allows to configure the limit of characters for SpEL expressions. Approach: In order to use an expression with characters more than the given default limit, require to follow either of the below approaches: 1. For Springframework >=5.3.28 and <6.1.3, by setting `maximumExpressionLength` field while instantiating the custom `SpelParserConfiguration` class. spring-projects/spring-framework#30380 spring-projects/spring-framework#30446 2. For Springframework >=6.1.3, by setting a JVM system property or Spring property named `spring.context.expression.maxLength` to the maximum expression length needed by your application. spring-projects/spring-framework#31952 spring-projects/spring-framework@7855986 Spinnaker supports spring boot 2.7.18, that brings springframework 5.3.31 [https://docs.spring.io/spring-boot/docs/2.7.18/reference/html/dependency-versions.html#appendix.dependency-versions.propertie9]. So first approach need to be implemented along with spinnaker enhancement to expose the `maximumExpressionLength` field. Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Jan 5, 2024

sbrannen added the in: core Issues in core modules (aop, beans, core, context, expression) label Jan 5, 2024

sbrannen changed the title ~~Make maximum SpEL expression length configurable for StandardBeanExpressionResolver~~ Make maximum SpEL expression length configurable for StandardBeanExpressionResolver Jan 5, 2024

sbrannen added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Jan 8, 2024

sbrannen self-assigned this Jan 8, 2024

sbrannen added this to the 6.1.3 milestone Jan 8, 2024

bencehornak mentioned this issue Jan 9, 2024

Add spring.context.expression.maxLength property #31986

Closed

sbrannen closed this as completed in 7855986 Jan 9, 2024

sbrannen changed the title ~~Make maximum SpEL expression length configurable for StandardBeanExpressionResolver~~ Make maximum length of SpEL expressions in an ApplicationContext configurable Jan 9, 2024

j-sandy mentioned this issue Jun 26, 2024

feat(SpEL): implement to configure the limit of characters for SpEL expressions spinnaker/echo#1429

Merged

j-sandy mentioned this issue Jun 26, 2024

feat(SpEL): implement to configure the limit of characters for SpEL expressions spinnaker/kork#1193

Merged

j-sandy mentioned this issue Jun 26, 2024

feat(SpEL): implement to configure the limit of characters for SpEL expressions spinnaker/orca#4755

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Make maximum length of SpEL expressions in an `ApplicationContext` configurable #31952

Make maximum length of SpEL expressions in an `ApplicationContext` configurable #31952

bencehornak commented Jan 5, 2024

sbrannen commented Jan 8, 2024 •

edited

Loading

bencehornak commented Jan 9, 2024

Make maximum length of SpEL expressions in an ApplicationContext configurable #31952

Make maximum length of SpEL expressions in an ApplicationContext configurable #31952

Comments

bencehornak commented Jan 5, 2024

Background

Use case

Proposal

sbrannen commented Jan 8, 2024 • edited Loading

bencehornak commented Jan 9, 2024

Make maximum length of SpEL expressions in an `ApplicationContext` configurable #31952

Make maximum length of SpEL expressions in an `ApplicationContext` configurable #31952

sbrannen commented Jan 8, 2024 •

edited

Loading