Although this issue is related to Spring Expression Language being part of Spring Framework and I am not sure if current version of Spring MVC form binding is performed by Spring EL (before 3.0 it was WebDataBinder for sure)I decided to raise jira here since this issue clearly affects Spring Web Flow data binding.
The main problem is inability to specify limit on collection size which elements will be set by SPEL.
In my webflow xml configuration i have defined flowBuilderServices with expression parser as follow:
My form bean:
Since i do not know in advance the target size of funds (i only know the upper limit ) i have set SpelParserConfiguration#autoGrowCollections to true to have list expanded as necessary.
Unfortunately malicious user can edit HTML page and set very large index on particular input like:
which will cause Spring to insert 100000000 InitialFundBean object into funds list . Is there any way i could set max size of target array/max index of element to put ?
Before SpEL was used for binding, DataBinder (more specifically WebDataBinder) was used which has an option to set autoGrowCollectionLimit. Why autoGrowCollectionLimit is missing for SpelParserConfiguration?