Uploaded image for project: 'Spring Web Flow'
  1. Spring Web Flow
  2. SWF-1566

Spring expression language auto grow collections size limit

    XMLWordPrintable

    Details

      Description

      Hi

      Although this issue is related to Spring Expression Language being part of Spring Framework and I am not sure if current version of Spring MVC form binding is performed by Spring EL (before 3.0 it was WebDataBinder for sure)I decided to raise jira here since this issue clearly affects Spring Web Flow data binding.
      The main problem is inability to specify limit on collection size which elements will be set by SPEL.
      In my webflow xml configuration i have defined flowBuilderServices with expression parser as follow:

      <bean id="expressionParser" class="org.springframework.expression.spel.standard.SpelExpressionParser">
          <constructor-arg name="configuration">
            <bean class="org.springframework.expression.spel.SpelParserConfiguration">
              <constructor-arg name="autoGrowCollections" value="true" />
              <constructor-arg name="autoGrowNullReferences" value="true" />
            </bean>
          </constructor-arg>
        </bean>
      
        <bean id="webflowExpressionParser" class="org.springframework.webflow.expression.spel.WebFlowSpringELExpressionParser">
          <constructor-arg name="expressionParser" ref="expressionParser" />    
        </bean>
      <webflow:flow-builder-services id="flowBuilderServices" view-factory-creator="mvcViewFactoryCreator" 
      		development="true"  validator="validator" expression-parser="webflowExpressionParser"/>
      

      My form bean:

      public class InitialFundsFormBean implements Serializable {
         @Valid
          private List<InitialFundBean> funds = new LinkedList<InitialFundBean>();
      ...
      }
      
      public class InitialFundBean implements Serializable{    
          private Long id;
          private String share;
      }
      

      Since i do not know in advance the target size of funds (i only know the upper limit ) i have set SpelParserConfiguration#autoGrowCollections to true to have list expanded as necessary.
      Unfortunately malicious user can edit HTML page and set very large index on particular input like:

      "funds[100000000].id"

      which will cause Spring to insert 100000000 InitialFundBean object into funds list . Is there any way i could set max size of target array/max index of element to put ?
      Before SpEL was used for binding, DataBinder (more specifically WebDataBinder) was used which has an option to set autoGrowCollectionLimit. Why autoGrowCollectionLimit is missing for SpelParserConfiguration?

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              rstoya05-aop Rossen Stoyanchev
              Reporter:
              miluch Jakub Milkiewicz
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: