Skip to content

SimpleEvaluationContext does not enforce read-only semantics #33319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sbrannen opened this issue Aug 5, 2024 · 1 comment
Closed

SimpleEvaluationContext does not enforce read-only semantics #33319

sbrannen opened this issue Aug 5, 2024 · 1 comment
Assignees
@sbrannen
Labels
in: core Issues in core modules (aop, beans, core, context, expression) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
6.1.12

Comments

@sbrannen
Copy link
Member

sbrannen commented Aug 5, 2024

SimpleEvaluationContext.forReadOnlyDataBinding() documents that it creates a SimpleEvaluationContext for read-only access to public properties; however, that is only partially true. Write access is in fact disabled for properties accessed via the registered DataBindingPropertyAccessor, but write access is not disabled for indexed structures when using the assignment operator, the increment operator, or the decrement operator.

In order to better align with the documented contract for forReadOnlyDataBinding(), we should make it possible to disable assignment (i.e., write access within a SpEL expression) in general in order to enforce read-only semantics for SpEL's SimpleEvaluationContext when created via the forReadOnlyDataBinding() factory method.
@sbrannen sbrannen added type: bug A general bug in: core Issues in core modules (aop, beans, core, context, expression) labels Aug 5, 2024
@sbrannen sbrannen added this to the 6.1.12 milestone Aug 5, 2024
@sbrannen sbrannen self-assigned this Aug 5, 2024
@github-actions github-actions bot added status: backported An issue that has been backported to maintenance branches and removed for: backport-to-5.3.x labels Aug 5, 2024
This was referenced Aug 5, 2024
Closed
Closed
sbrannen added a commit to sbrannen/spring-framework that referenced this issue Aug 6, 2024
@sbrannen
Enforce read-only semantics in SpEL's SimpleEvaluationContext
93e9423 
SimpleEvaluationContext.forReadOnlyDataBinding() documents that it
creates a SimpleEvaluationContext for read-only access to public
properties; however, prior to this commit write access was not disabled
for indexed structures when using the assignment operator, the
increment operator, or the decrement operator.

In order to better align with the documented contract for
forReadOnlyDataBinding(), this commit makes it possible to disable
assignment in general in order to enforce read-only semantics for
SpEL's SimpleEvaluationContext when created via the
forReadOnlyDataBinding() factory method. Specifically:

- This commit introduces a new isAssignmentEnabled() "default" method
  in the EvaluationContext API, which returns true by default.

- SimpleEvaluationContext overrides isAssignmentEnabled(), returning
  false if the context was created via the forReadOnlyDataBinding()
  factory method.

- The Assign, OpDec, and OpInc AST nodes -- representing the assignment
  (=), increment (++), and decrement (--) operators, respectively --
  now throw a SpelEvaluationException if assignment is disabled for the
  current EvaluationContext.

Closes spring-projectsgh-33319
sbrannen added a commit that referenced this issue Aug 6, 2024
@sbrannen
Enforce read-only semantics in SpEL's SimpleEvaluationContext
e1ab306 
SimpleEvaluationContext.forReadOnlyDataBinding() documents that it
creates a SimpleEvaluationContext for read-only access to public
properties; however, prior to this commit write access was not disabled
for indexed structures when using the assignment operator, the
increment operator, or the decrement operator.

In order to better align with the documented contract for
forReadOnlyDataBinding(), this commit makes it possible to disable
assignment in general in order to enforce read-only semantics for
SpEL's SimpleEvaluationContext when created via the
forReadOnlyDataBinding() factory method. Specifically:

- This commit introduces a new isAssignmentEnabled() "default" method
  in the EvaluationContext API, which returns true by default.

- SimpleEvaluationContext overrides isAssignmentEnabled(), returning
  false if the context was created via the forReadOnlyDataBinding()
  factory method.

- The Assign, OpDec, and OpInc AST nodes -- representing the assignment
  (=), increment (++), and decrement (--) operators, respectively --
  now throw a SpelEvaluationException if assignment is disabled for the
  current EvaluationContext.

See gh-33319
Closes gh-33321

(cherry picked from commit 0127de5)
sbrannen added a commit that referenced this issue Aug 6, 2024
@sbrannen
Enforce read-only semantics in SpEL's SimpleEvaluationContext
26f2dad 
SimpleEvaluationContext.forReadOnlyDataBinding() documents that it
creates a SimpleEvaluationContext for read-only access to public
properties; however, prior to this commit write access was not disabled
for indexed structures when using the assignment operator, the
increment operator, or the decrement operator.

In order to better align with the documented contract for
forReadOnlyDataBinding(), this commit makes it possible to disable
assignment in general in order to enforce read-only semantics for
SpEL's SimpleEvaluationContext when created via the
forReadOnlyDataBinding() factory method. Specifically:

- This commit introduces a new isAssignmentEnabled() "default" method
  in the EvaluationContext API, which returns true by default.

- SimpleEvaluationContext overrides isAssignmentEnabled(), returning
  false if the context was created via the forReadOnlyDataBinding()
  factory method.

- The Assign, OpDec, and OpInc AST nodes -- representing the assignment
  (=), increment (++), and decrement (--) operators, respectively --
  now throw a SpelEvaluationException if assignment is disabled for the
  current EvaluationContext.

See gh-33319
Closes gh-33320

(cherry picked from commit e1ab306)
@sbrannen
Copy link
Member Author

Reopening to introduce SimpleEvaluationContext.Builder.withAssignmentDisabled().

@sbrannen sbrannen reopened this Aug 13, 2024
sbrannen added a commit that referenced this issue Aug 13, 2024
@sbrannen
Introduce withAssignmentDisabled() option for SimpleEvaluationContext
79c7bfd 
To support additional use cases, this commit introduces a
withAssignmentDisabled() method in the Builder for
SimpleEvaluationContext.

See gh-33319
Closes gh-33321

(cherry picked from commit e74406a)
sbrannen added a commit that referenced this issue Aug 13, 2024
@sbrannen
Introduce withAssignmentDisabled() option for SimpleEvaluationContext
f9c3d00 
To support additional use cases, this commit introduces a
withAssignmentDisabled() method in the Builder for
SimpleEvaluationContext.

See gh-33319
Closes gh-33320

(cherry picked from commit 79c7bfd)
@sbrannen sbrannen mentioned this issue Oct 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sbrannen sbrannen

Labels
in: core Issues in core modules (aop, beans, core, context, expression) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
6.1.12
Development

No branches or pull requests
1 participant
@sbrannen