Endor Labs notes of their report that Thymeleaf has defense-in-depth layers to dam harmful expressions and on this case two of them failed. For instance, a string test scanned the expression textual content for harmful patterns, such because the new key phrase adopted by an ASCII house, T (Spring Expression Language sort references) and @ (SpEL bean references in some code paths). Nevertheless, the test solely seemed for ASCII house 0x20 characters, however the SpEL’s parser additionally accepts tab (0x09), newline (0x0A), and different management characters between new and the category identify.
One other coverage blocked courses that begin with java.* from getting used inside T() sort references, however didn’t block sorts from org.springframework.*, ognl.*, or javax.*.
“Since typical Spring purposes have spring-core on the classpath, courses like org.springframework.core.io.FileSystemResource had been freely constructable, and that class can create arbitrary recordsdata on disk,” the researchers mentioned.
