-
Notifications
You must be signed in to change notification settings - Fork 37.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable SpEL selector support in WebSocket messaging by default #30550
Labels
in: web
Issues in web modules (web, webmvc, webflux, websocket)
type: enhancement
A general enhancement
Milestone
Comments
sbrannen
added
in: web
Issues in web modules (web, webmvc, webflux, websocket)
type: enhancement
A general enhancement
labels
May 25, 2023
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
sbrannen
changed the title
Disable SpEL selector support in
Disable SpEL selector support in WebSocket messaging by default
May 31, 2023
DefaultSubscriptionRegistry
by default
sbrannen
added a commit
that referenced
this issue
Jun 1, 2023
Prior to this commit, the tests we had in place for SpEL 'selector' support did not assert what happens when a selector expression does not match or when a selector header is not present. See gh-30550
sbrannen
added a commit
that referenced
this issue
Jun 4, 2023
sbrannen
added a commit
that referenced
this issue
Jun 4, 2023
mdeinum
pushed a commit
to mdeinum/spring-framework
that referenced
this issue
Jun 29, 2023
Prior to this commit, the tests we had in place for SpEL 'selector' support did not assert what happens when a selector expression does not match or when a selector header is not present. See spring-projectsgh-30550
mdeinum
pushed a commit
to mdeinum/spring-framework
that referenced
this issue
Jun 29, 2023
mdeinum
pushed a commit
to mdeinum/spring-framework
that referenced
this issue
Jun 29, 2023
mdeinum
pushed a commit
to mdeinum/spring-framework
that referenced
this issue
Jun 29, 2023
This commit disables support for evaluating SpEL expressions from untrusted sources by default. Specifically, this applies to the SpEL-based 'selector' header support in WebSocket messaging, which includes the DefaultSubscriptionRegistry and the classes used to configure the 'selector' header name (SimpleBrokerMessageHandler and SimpleBrokerRegistration). The selector header support remains in place but will have to be explicitly enabled beginning with Spring Framework 6.1. For example, a custom implementation of WebSocketMessageBrokerConfigurer can override the configureMessageBroker() method and configure the selector header name as follows. registry.enableSimpleBroker().setSelectorHeaderName("selector"); Closes spring-projectsgh-30550
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
in: web
Issues in web modules (web, webmvc, webflux, websocket)
type: enhancement
A general enhancement
Overview
In an effort to reduce the potential for security vulnerabilities in SpEL to adversely affect Spring applications, the team has decided to disable support for evaluating SpEL expressions from untrusted sources by default.
Within the core Spring Framework, this applies to the SpEL-based
selector
header support in WebSocket messaging, specifically in theDefaultSubscriptionRegistry
.The
selector
header support will remain in place but will have to be explicitly enabled beginning with Spring Framework 6.1.We will also investigate alternative approaches to the
selector
header feature that do not involve SpEL, and we may later decide to deprecate the SpEL-basedselector
header support in favor of such an alternative.Deliverables
DefaultSubscriptionRegistry
by default.The text was updated successfully, but these errors were encountered: