Disable SpEL selector support in WebSocket messaging by default #30550
Assignees
Labels
in: web
Issues in web modules (web, webmvc, webflux, websocket)
type: enhancement
A general enhancement
Milestone
Comments
sbrannen
added
in: web
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
sbrannen
changed the title
DefaultSubscriptionRegistry by default
sbrannen
added a commit
that referenced
this issue
Jun 1, 2023
Prior to this commit, the tests we had in place for SpEL 'selector' support did not assert what happens when a selector expression does not match or when a selector header is not present. See gh-30550
sbrannen
added a commit
that referenced
this issue
Jun 4, 2023
sbrannen
added a commit
that referenced
this issue
Jun 4, 2023
mdeinum
pushed a commit
to mdeinum/spring-framework
that referenced
this issue
Jun 29, 2023
Prior to this commit, the tests we had in place for SpEL 'selector' support did not assert what happens when a selector expression does not match or when a selector header is not present. See spring-projectsgh-30550
mdeinum
pushed a commit
to mdeinum/spring-framework
that referenced
this issue
Jun 29, 2023
mdeinum
pushed a commit
to mdeinum/spring-framework
that referenced
this issue
Jun 29, 2023
mdeinum
pushed a commit
to mdeinum/spring-framework
that referenced
this issue
Jun 29, 2023
This commit disables support for evaluating SpEL expressions from
untrusted sources by default. Specifically, this applies to the
SpEL-based 'selector' header support in WebSocket messaging, which
includes the DefaultSubscriptionRegistry and the classes used to
configure the 'selector' header name (SimpleBrokerMessageHandler and
SimpleBrokerRegistration).
The selector header support remains in place but will have to be
explicitly enabled beginning with Spring Framework 6.1.
For example, a custom implementation of WebSocketMessageBrokerConfigurer
can override the configureMessageBroker() method and configure the
selector header name as follows.
registry.enableSimpleBroker().setSelectorHeaderName("selector");
Closes spring-projectsgh-30550
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Overview
In an effort to reduce the potential for security vulnerabilities in SpEL to adversely affect Spring applications, the team has decided to disable support for evaluating SpEL expressions from untrusted sources by default.
Within the core Spring Framework, this applies to the SpEL-based
selectorheader support in WebSocket messaging, specifically in theDefaultSubscriptionRegistry.The
selectorheader support will remain in place but will have to be explicitly enabled beginning with Spring Framework 6.1.We will also investigate alternative approaches to the
selectorheader feature that do not involve SpEL, and we may later decide to deprecate the SpEL-basedselectorheader support in favor of such an alternative.Deliverables
DefaultSubscriptionRegistryby default.The text was updated successfully, but these errors were encountered: