Spring Code Execution EL (SpEL)

Question

Spring Code Execution EL (SpEL)

I want to use SpEL to evaluate user input. But this opens a security hole because Spel enginge also executes code and can run classes and access static objects. For example, T (System) .exit (0) logs out.

Can this type of code execution be prevented?

+5

java spring spring-el

CBH Jul 29 '15 at 14:39

source share

1 answer

beerbajay · Accepted Answer · 2015-07-29T15:07:09+0000

A way to avoid this is to never evaluate user input in an expression language.

You will almost never be able to list and, therefore, prevent the execution of all possible "bad" code.

Instead, you can use user input as environment variables (strings, numbers) with fixed EL expressions.

Spring Code Execution EL (SpEL)

More articles: