Implemented thymeleaf/thymeleaf#809 for Spring 5 (SpEL)

Author: danielfernandez

thymeleaf-spring5/src/main/java/org/thymeleaf/spring5/expression/SPELVariableExpressionEvaluator.java

@@ -39,6 +39,7 @@
 import org.thymeleaf.expression.IExpressionObjects;
 import org.thymeleaf.spring5.context.IThymeleafBindStatus;
 import org.thymeleaf.spring5.util.FieldUtils;
+import org.thymeleaf.spring5.util.SpringStandardExpressionUtils;
 import org.thymeleaf.spring5.util.SpringValueFormatter;
 import org.thymeleaf.spring5.util.SpringVersionUtils;
 import org.thymeleaf.standard.expression.IStandardConversionService;
@@ -177,7 +178,8 @@ public final Object evaluate(
             /*
              * OBTAIN THE EXPRESSION (SpelExpression OBJECT) FROM THE CACHE, OR PARSE IT
              */
-            final ComputedSpelExpression exp = obtainComputedSpelExpression(configuration, expression, spelExpression);
+            final ComputedSpelExpression exp =
+                    obtainComputedSpelExpression(configuration, expression, spelExpression, expContext);
 
 
             /*
@@ -298,7 +300,9 @@ public final Object evaluate(
 
 
     private static ComputedSpelExpression obtainComputedSpelExpression(
-            final IEngineConfiguration configuration, final IStandardVariableExpression expression, final String spelExpression) {
+            final IEngineConfiguration configuration,
+            final IStandardVariableExpression expression, final String spelExpression,
+            final StandardExpressionExecutionContext expContext) {
 
         if (expression instanceof VariableExpression) {
 
@@ -308,7 +312,7 @@ private static ComputedSpelExpression obtainComputedSpelExpression(
             if (cachedExpression != null && cachedExpression instanceof ComputedSpelExpression) {
                 return (ComputedSpelExpression) cachedExpression;
             }
-            cachedExpression = getExpression(configuration, spelExpression);
+            cachedExpression = getExpression(configuration, spelExpression, expContext);
             if (cachedExpression != null) {
                 vexpression.setCachedExpression(cachedExpression);
             }
@@ -324,20 +328,22 @@ private static ComputedSpelExpression obtainComputedSpelExpression(
             if (cachedExpression != null && cachedExpression instanceof ComputedSpelExpression) {
                 return (ComputedSpelExpression) cachedExpression;
             }
-            cachedExpression = getExpression(configuration, spelExpression);
+            cachedExpression = getExpression(configuration, spelExpression, expContext);
             if (cachedExpression != null) {
                 vexpression.setCachedExpression(cachedExpression);
             }
             return (ComputedSpelExpression) cachedExpression;
 
         }
 
-        return getExpression(configuration, spelExpression);
+        return getExpression(configuration, spelExpression, expContext);
 
     }
 
 
-    private static ComputedSpelExpression getExpression(final IEngineConfiguration configuration, final String spelExpression) {
+    private static ComputedSpelExpression getExpression(
+            final IEngineConfiguration configuration,
+            final String spelExpression, final StandardExpressionExecutionContext expContext) {
 
         ComputedSpelExpression exp = null;
         ICache<ExpressionCacheKey, Object> cache = null;
@@ -357,9 +363,16 @@ private static ComputedSpelExpression getExpression(final IEngineConfiguration c
                     PARSER_WITH_COMPILED_SPEL != null && SpringStandardExpressions.isSpringELCompilerEnabled(configuration)?
                             PARSER_WITH_COMPILED_SPEL : PARSER_WITHOUT_COMPILED_SPEL;
 
-            final SpelExpression spelExpressionObject = (SpelExpression) spelExpressionParser.parseExpression(spelExpression);
+            if (expContext.getRestrictInstantiationAndStatic()
+                    && SpringStandardExpressionUtils.containsSpELInstantiationOrStatic(spelExpression)) {
+                throw new TemplateProcessingException(
+                        "Instantiation of new objects and access to static classes is forbidden in this context");
+            }
+
             final boolean mightNeedExpressionObjects = StandardExpressionUtils.mightNeedExpressionObjects(spelExpression);
 
+            final SpelExpression spelExpressionObject = (SpelExpression) spelExpressionParser.parseExpression(spelExpression);
+
             exp = new ComputedSpelExpression(spelExpressionObject, mightNeedExpressionObjects);
 
             if (cache != null && null != exp) {

thymeleaf-spring5/src/main/java/org/thymeleaf/spring5/util/SpringExpressionUtils.java thymeleaf-spring5/src/main/java/org/thymeleaf/spring5/util/SpringStandardExpressionUtils.java

@@ -26,7 +26,7 @@
  * @since 3.0.12
  *
  */
-public final class SpringExpressionUtils {
+public final class SpringStandardExpressionUtils {
 
 
     private static final char[] NEW_ARRAY = "wen".toCharArray(); // Inverted "new"
@@ -37,7 +37,7 @@ public static boolean containsSpELInstantiationOrStatic(final String expression)
 
         /*
          * Checks whether the expression contains instantiation of objects ("new SomeClass") or makes use of
-         * static methods ("@SomeClass@") as both are forbidden in certain contexts in restricted mode.
+         * static methods ("T(SomeClass)") as both are forbidden in certain contexts in restricted mode.
          */
 
         final int explen = expression.length();
@@ -95,7 +95,7 @@ public static boolean containsSpELInstantiationOrStatic(final String expression)
 
 
 
-    private SpringExpressionUtils() {
+    private SpringStandardExpressionUtils() {
         super();
     }