Sensei Logo Sensei Hub

Recipe - Input Validation: Avoid Spring Expression Language Injection: Do not evaluate expressions controlled by user input (ExpressionParser)

Description:
Could lead to Spring Expression Language Injection
Level:
error
Language:
  • java
Tags:
  • expression language
  • Spring
  • Spring Core
  • security
  • framework specific
  • injection
  • OWASP Top 10
Documentation

Secure coding practices prescribe that spring expressions using dynamic values should be avoided.

Spring expression language is vulnerable for injection attacks. In newer versions expression evaluation is disabled by default. It is advised to avoid expression language evaluation where possible. If it can not be avoided, make sure to add proper Input Validation.

Recipe
id: scw:spring:el-expressionparser
version: 10
metadata:
  name: 'Input Validation: Avoid Spring Expression Language Injection: Do not evaluate expressions controlled by user input (ExpressionParser)'
  shortDescription: Could lead to Spring Expression Language Injection
  level: error
  language: java
  newCodeOnly: false
  scwCategory: injection:generic
  enabled: true
  descriptionFile: descriptions/SPEL_Injection_User_controlled_input_evaluation.html
  tags: expression language;Spring;Spring Core;security;framework specific;injection;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          containsUntrustedInput: true
    anyOf:
    - name: parseExpression
      declaration:
        type: org.springframework.expression.ExpressionParser
    - name: parseRaw
      declaration:
        type: org.springframework.expression.spel.standard.SpelExpressionParser
availableFixes: []