Skip to content

HV-1816 Disable Expression Language by default for custom constraint violations #1138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 4, 2020
Merged

HV-1816 Disable Expression Language by default for custom constraint violations #1138

merged 2 commits into from
Dec 4, 2020
+1,780 −111

Conversation

gsmet
Copy link
Member

@gsmet gsmet commented Nov 25, 2020

@gsmet gsmet force-pushed the HV-1816 branch 3 times, most recently from 2c0fff3 to d60e495 Compare November 25, 2020 19:22
yrodiere
yrodiere reviewed Dec 3, 2020
View reviewed changes
engine/src/main/java/org/hibernate/validator/BaseHibernateValidatorConfiguration.java Outdated
@@ -427,4 +428,15 @@ default S locales(Locale... locales) {

@Incubating
S beanMetaDataClassNormalizer(BeanMetaDataClassNormalizer beanMetaDataClassNormalizer);

/**
* Allows setting the Expression Language feature level.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So... is this the default for all constraints? Or only for default (built-in) constraints? Is it used as the default for custom constraint violations?

I find this a bit confusing...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I clarified it in the Javadoc.

I know it's a bit confusing but the defaults are different and I don't want the global default to be the one used by custom violations as they are more sensitive to security issues.

@gsmet gsmet force-pushed the HV-1816 branch 2 times, most recently from 354df4a to c211b53 Compare December 3, 2020 19:51
yrodiere
yrodiere reviewed Dec 4, 2020
View reviewed changes
engine/src/main/java/org/hibernate/validator/BaseHibernateValidatorConfiguration.java

/**
* Property for configuring the Expression Language feature level for custom violations, allowing to define which
* Expression Language features are available for message interpolation.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add a link to the method that allows customizing this setting for custom violations?

...hibernate/validator/internal/engine/constraintvalidation/ConstraintValidatorContextImpl.java
@@ -181,7 +189,7 @@ private ConstraintViolationCreationContext getDefaultConstraintViolationCreation
private abstract class NodeBuilderBase {

protected final String messageTemplate;
protected boolean expressionLanguageEnabled;
protected ExpressionLanguageFeatureLevel expressionLanguageFeatureLevel = defaultCustomViolationExpressionLanguageFeatureLevel;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since EL may now be enabled by default depending on configuration, shouldn't enableExpressionLanguage be renamed to expressionLanguageFeatureLevel?
On second thought, it also feels weird that we can call enableExpressionLanguage(NONE).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I prefer it the way it is.

...c/main/java/org/hibernate/validator/messageinterpolation/ExpressionLanguageFeatureLevel.java
* <p>
* For custom violations, the default is {@link ExpressionLanguageFeatureLevel#NONE} and, if Expression Language is
* enabled for a given custom violation via the API, the default becomes
* {@link ExpressionLanguageFeatureLevel#VARIABLES} in the context of this given custom violation.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not quite the full story, though.

From what I can see:

  • If not enabled explicitly, the default is whatever the user configured through properties, falling back to NONE.
  • If enabled explicitly, the default is VARIABLES, and whatever the user configured through properties is ignored.

Which seems... complex?

@gsmet gsmet changed the base branch from 6.1 to 6.2 December 4, 2020 10:33
@gsmet
Copy link
Member Author

gsmet commented Dec 4, 2020

/cc @pwntester this might be of interest to you. I plan to include this in a 6.2 and a 7.

I gave up on hoping that users will read the documentation and also the most problematic way is that there is no spec-compliant way to be safe.

The way I did it passes the Bean Validation TCK while reducing the EL Features even for standard constraints.

For custom violations, it's completely disabled by default and you can enable EL on a case per case basis. We also have a global settings for compatibility reasons but the idea is that people should enable EL for specific custom violations and thus be careful when doing so.

@pwntester
Copy link

Secure by default, way to go!

@gsmet
Copy link
Member Author

gsmet commented Dec 4, 2020

Well, secure by default is easy.

The hard part is to still offer the flexibility of EL without compromising the whole thing (i.e. avoid pushing people to use a global switch which IMHO is equally as bad) and still passing the TCK.

I think we need to push addExpressionVariable() to the spec.

@gsmet gsmet merged this pull request into hibernate:6.2 Dec 4, 2020
@joschi joschi mentioned this pull request Apr 24, 2021
Merged
1 task
joschi added a commit to dropwizard/dropwizard that referenced this pull request Apr 25, 2021
@renovate @renovate-bot @joschi
Update dependency org.hibernate.validator:hibernate-validator to v6.2…
a9bd3f4 
….0.Final (master) (#3732)

> ### Expression Language overhaul
> 
> Expression Language disabled by default for custom violations.
> 
> Ability to define the Expression Language features enabled for more safety.

- https://hibernate.org/validator/releases/6.2/#whats-new
- https://hibernate.atlassian.net/browse/HV-1816
- hibernate/hibernate-validator#1138
- https://docs.jboss.org/hibernate/validator/6.2/reference/en-US/html_single/#el-features

Co-authored-by: Renovate Bot <[email protected]>
Co-authored-by: Jochen Schalanda <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yrodiere yrodiere yrodiere left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gsmet @pwntester @yrodiere