Input Validation: Avoid Spring Expression Language Injection: Do not evaluate expressions controlled by user input (ExpressionParser) :: Recipe Details

Recipe Name:

Input Validation: Avoid Spring Expression Language Injection: Do not evaluate expressions controlled by user input (ExpressionParser)

Description:

Could lead to Spring Expression Language Injection

Level:

error

Language:

java

Tags:

expression language
Spring
Spring Core
security
framework specific
injection
OWASP Top 10

Documentation

Secure coding practices prescribe that spring expressions using dynamic values should be avoided.

Spring expression language is vulnerable for injection attacks. In newer versions expression evaluation is disabled by default. It is advised to avoid expression language evaluation where possible. If it can not be avoided, make sure to add proper Input Validation.

Recipe

id: scw:spring:el-expressionparser
version: 10
metadata:
  name: 'Input Validation: Avoid Spring Expression Language Injection: Do not evaluate expressions controlled by user input (ExpressionParser)'
  shortDescription: Could lead to Spring Expression Language Injection
  level: error
  language: java
  newCodeOnly: false
  scwCategory: injection:generic
  enabled: true
  descriptionFile: descriptions/SPEL_Injection_User_controlled_input_evaluation.html
  tags: expression language;Spring;Spring Core;security;framework specific;injection;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          containsUntrustedInput: true
    anyOf:
    - name: parseExpression
      declaration:
        type: org.springframework.expression.ExpressionParser
    - name: parseRaw
      declaration:
        type: org.springframework.expression.spel.standard.SpelExpressionParser
availableFixes: []