Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-11472

autoGrowCollectionLimit versus general collection size limit

    XMLWordPrintable

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 3.2.4
    • None
    • Web

    Description

      Problem

      Spring's data binder allows you to set maximum size() of automatically created List<> e.g. to 3 items. It's quite easy to bypass this limitation and cause Spring to create a List of 3000+ items simply by modifying HTTP content sent to the server.

      In other words: while testing my webapp I was able by creating malicious HTTP request to force Spring's data binder to create a List<> consisting of 4000 items although I had set the limit to 3 items. This may easily lead to Out of Memory exceptions on any app server.

      Version used

      spring-tool-suite-3.3.0.RELEASE,
      D:\m2\repo\org\springframework\spring-web\3.2.4.RELEASE\spring-web-3.2.4.RELEASE.jar

      Description

      I needed to bind multiple html <input /> elements to a single List<String> object, something like:

       
      <input type="text" name="phoneNumber[0]" />
      ...
      <input type="text" name="phoneNumber[n]" />
      

      Spring performs such conversion by default using org.springframework.beans.propertyeditors.CustomCollectionEditor. Below is a simple code snippet presenting the issue described above.

      Code
      ContactDataEntity.java
      public class ContactDataEntity {
          private List<String> phoneNumber;
          // getters and setters
      }
      
      TestController.java
      @RequestMapping(value = VIEW_PAGE_1, method = RequestMethod.POST)
      public String xxx(HttpServletRequest request, Model model) {
      
      	// set and bind
      	ContactDataEntity contactData = new ContactDataEntity();
      	ServletRequestDataBinder binder = new ServletRequestDataBinder(contactData);
      	binder.setAutoGrowCollectionLimit(3); // set limit to 3 items
      	binder.bind(request);
      
      	// test binding results
      	List<String> numbers = contactData.getPhoneNumber();
      	if (numbers != null) {
      		System.out.print("numbers SIZE: " + numbers.size() + ", DATA: ");
      		for (String s : numbers) System.out.print(s + ", ");
      		System.out.print("\n");
      	}
      
      	// validate and return view name...
      
      }
      
      Results
      Results for correct data (<= 3 items, everything works ok, I use Live HTTP Headers for Firefox):

      Results for too many items (> 3 items, everything works ok, 500 Internal Server Error occurred):

      Simple trick (> 3 items, no errors reported, sorry for my typo in 'overwritten'):

      Let's exploit the above:

      Attachments

        Activity

          People

            juergen.hoeller Juergen Hoeller
            dominik_s Dominik S.
            Spring Issues Spring Issues
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              3 years, 38 weeks, 1 day ago