Endor Labs notes of their report that Thymeleaf has defense-in-depth layers to dam harmful expressions and on this case two of them failed. For instance, a string examine scanned the expression textual content for harmful patterns, such because the new key phrase adopted by an ASCII house, T (Spring Expression Language sort references) and @ (SpEL bean references in some code paths). Nevertheless, the examine solely appeared for ASCII house 0x20 characters, however the SpEL’s parser additionally accepts tab (0x09), newline (0x0A), and different management characters between new and the category title.
One other coverage blocked courses that begin with java.* from getting used inside T() sort references, however didn’t block sorts from org.springframework.*, ognl.*, or javax.*.
“Since typical Spring functions have spring-core on the classpath, courses like org.springframework.core.io.FileSystemResource have been freely constructable, and that class can create arbitrary information on disk,” the researchers stated.
