Description
Affects: Spring Framework 5.2.24+
Background
Since #30325 (implemented in b73f5fc) the length of SpEL expressions is limited by default to 10000. As I understand it this is a mitigation against potential ReDoS exploits. However, in some cases this limitation is too low and prevents upgrading to recent Spring Framework versions.
While #30380 (implemented in aefcb9d) adds support for a custom maximumExpressionLength the feature is only accessible if one instantiates the SpelParserConfiguration class themselves.
In my case I would like to configure the SpelParserConfiguration created in the class StandardBeanExpressionResolver to accept my very long property by raising the maximumExpressionLength to a higher value than its default (10000).
Use case
I've got a huge map in my config:
myproperty={\
a: {\
x: { host: '10.1.1.1', port: 1234 },\
y: { host: '10.1.1.1', port: 1234 },\
z: { host: '10.1.1.1', port: 1234 }\
},\
b: {\
x: { host: '10.1.1.1', port: 1234 },\
y: { host: '10.1.1.1', port: 1234 },\
z: { host: '10.1.1.1', port: 1234 }\
},\
c: {\
x: { host: '10.1.1.1', port: 1234 },\
y: { host: '10.1.1.1', port: 1234 },\
z: { host: '10.1.1.1', port: 1234 }\
},\
# and so on, altogether 15000 characters
}It is used by a property:
@Value("#{${myproperty}}")
private Map<String, Map<String,Map<String,String>>> myproperty;
If I try to start my application I get the following exception:
org.springframework.expression.spel.SpelEvaluationException: EL1079E: SpEL expression is too long, exceeding the threshold of '10,000' characters"}}
Proposal
Make the parameter maximumExpressionLength of SpelParserConfiguration configurable when it is instantiated in StandardBeanExpressionResolver.java (see the snippet above). Example (not sure what a conformant property name would be):
spring.standardBeanExpressionResolver.maximumExpressionLength=20000