Spring4Shell (CVE-2022-22965) workaround fix

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement (cherry picked from commit 3637c8d)
Evolveum · Mar 31, 2022 · 9702d79 · 9702d79
1 parent 57790b9
commit 9702d79
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/BinderControllerAdvice.java b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/BinderControllerAdvice.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2010-2022 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+package com.evolveum.midpoint.rest.impl;
+
+import org.springframework.core.annotation.Order;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.InitBinder;
+
+@ControllerAdvice
+@Order
+public class BinderControllerAdvice {
+
+    /**
+     * Should prevent Spring4Shell vulnerability (but we believe midPoint does not allow it anyway).
+     * See https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement[this] for more info.
+     */
+    @InitBinder
+    public void setAllowedFields(WebDataBinder dataBinder) {
+        dataBinder.setDisallowedFields("class.*", "Class.*", "*.class.*", "*.Class.*");
+    }
+}