Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add AllowList for classes that should be available for static access via T() in sensitive expressions #829

Open
leonard84 opened this issue Apr 26, 2021 · 1 comment · May be fixed by #960
Open

Add AllowList for classes that should be available for static access via T() in sensitive expressions #829

leonard84 opened this issue Apr 26, 2021 · 1 comment · May be fixed by #960
Labels
needs triage

Comments

@leonard84
Copy link

As discussed in #816 the changes in 3.0.12 disabled static access via T() in sensitive expressions.
It would be a good compromise, if we could allow certain classes to be still be accessible in those areas, e.g. Enums or String constants.
@duoduobingbing
Copy link

It would be very nice to have this. Currently the only workaround to this is to either downgrade to 3.0.11 or by using Reflection to change ExpressionUtils.ALLOWED_JAVA_CLASS_NAMES and ExpressionUtils.ALLOWED_JAVA_CLASSES which is in no way ideal.

This requires every deployment to run with --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED to make this awful workaround of changing the static private final field work properly. This is obviously something one would like to avoid by all means.

@duoduobingbing duoduobingbing linked a pull request Jun 17, 2023 that will close this issue
Open
@duoduobingbing duoduobingbing mentioned this issue May 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make the class access evaluation mechanism of ExpressionUtils configurable duoduobingbing/thymeleaf
2 participants
@leonard84 @duoduobingbing