Forbid static access to org.springframework.util in expressions

[danielfernandez]

The org.springframework.util package contains a series of classes that, when accessed statically from SpringEL expressions included in Thymeleaf templates, might allow the execution of code from those templates. Generally there is no real reason for web applications to use classes from this package directly from Thymelaef templates — if there is a case where it is strictly necessary, a wrapper class in an application package could be created.

IMPORTANT

Note that attacks based on the execution of this kind of expression specifically require write access to template code, or Thymeleaf being executed on an application that somehow allows template code to be altered externally, as seems to be the case of Spring Boot Admin in CVE-2023-38286.

[xtianus]

In my opinion this is a Spring Boot Admin bug, not a Thymeleaf bug. In general I don't think Thymeleaf should filter what classes can be used or not used. You offer a powerful tool that can do anything and the user should be aware of it.

[danielfernandez]

@xtianus I'd agree to that to some extent, but security consultancy and advisory works in funny ways these days.

[xtianus]

Just stumbled across a similar security problem involving hsqldb here. They "fixed it" by means of a system property:

The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

I would make use of something similar in Thymeleaf, eventually.