thymeleaf/thymeleaf

Improve restricted expression evaluation mode

danielfernandez opened this issue · 0 comments

danielfernandez commented

Current status

Currently the restricted expression evaluation mode is applied in the following scenarios (see note below):

  • Pre-processing expressions: __...__
  • Unescaped output: th:utext and inlined unescaped expressions.
  • All th:on* attribute processors for JavaScript events which value is a Thymeleaf Standard Expression (see #707).
  • th:attr attribute processor that enables the creation of variables with arbitrary name to be used elsewhere in the template.
  • Template and fragment names in Fragment expressions: ~{...} or contents of th:insert, th:replace, th:include and th:substituteby
  • Fragment parameters in Fragment Expressions (~{...} or th:insert, th:replace, etc.) so that template fragments cannot be called with parameters which values come from direct user input (would be a scenario equivalent to that of th:attr).
  • Default attribute processor (see #297), which allows the rendering of any attribute with an arbitrary name (just in case it is a JS event or anything similar)
  • URL bases in Link Expressions (@{...}) (URL parameters will not be restricted)
  • th:src and th:href (except URL parameters inside Link Expressions as explained above)
  • Output expressions in TEXT template mode, even if escaped, any use in any position (safest due to the lack of knowledge on the use it's being given).

This restricted mode applies the following restrictions:

  • No access allowed to the request parameters: ${param.*} and also to any of:
    • ${#request.getParameter(...)}
    • ${#request.getParameterValues(...)}
    • ${#request.getParameterMap()}
    • ${#request.getQueryString()}
    • ${#httpServletRequest.getParameter(...)}
    • ${#httpServletRequest.getParameterValues(...)}
    • ${#httpServletRequest.getParameterMap()}
    • ${#httpServletRequest.getQueryString()}
  • In th:on* attribute processors which attribute is a Thymeleaf Standard Expression: no expression is allowed to have a result of types other than numeric or boolean.

Modifications to the restricted mode

The new restrictions to be applied would include, for all scenarios where it is applicable:

  • Creation of new objects (new ...)
  • Access to static code (@identifier@ in OGNL, T(identifier) in SpringEL)