Disable SpEL selector support in WebSocket messaging by default

sbrannen · sbrannen · commit 5bc80fc094ed · 2023-06-04T17:02:02.000+02:00
This commit disables support for evaluating SpEL expressions from untrusted sources by default. Specifically, this applies to the SpEL-based 'selector' header support in WebSocket messaging, which includes the DefaultSubscriptionRegistry and the classes used to configure the 'selector' header name (SimpleBrokerMessageHandler and SimpleBrokerRegistration). The selector header support remains in place but will have to be explicitly enabled beginning with Spring Framework 6.1. For example, a custom implementation of WebSocketMessageBrokerConfigurer can override the configureMessageBroker() method and configure the selector header name as follows. registry.enableSimpleBroker().setSelectorHeaderName("selector"); Closes gh-30550
diff --git a/spring-messaging/src/main/java/org/springframework/messaging/simp/broker/DefaultSubscriptionRegistry.java b/spring-messaging/src/main/java/org/springframework/messaging/simp/broker/DefaultSubscriptionRegistry.java
@@ -54,9 +54,11 @@
  * in memory and uses a {@link org.springframework.util.PathMatcher PathMatcher}
  * for matching destinations.
  *
- * <p>As of 4.2, this class supports a {@link #setSelectorHeaderName selector}
- * header on subscription messages with Spring EL expressions evaluated against
- * the headers to filter out messages in addition to destination matching.
+ * <p>This class also supports an optional <em>selector</em> header on subscription
+ * messages with Spring Expression Language (SpEL) expressions evaluated against
+ * the headers to filter out messages in addition to destination matching. As of
+ * Spring Framework 6.1, the SpEL support is disabled by default, but it can be
+ * enabled by setting a {@linkplain #setSelectorHeaderName selector header name}.
  *
  * @author Rossen Stoyanchev
  * @author Sebastien Deleuze
@@ -79,7 +81,7 @@ public class DefaultSubscriptionRegistry extends AbstractSubscriptionRegistry {
 	private int cacheLimit = DEFAULT_CACHE_LIMIT;
 
 	@Nullable
-	private String selectorHeaderName = "selector";
+	private String selectorHeaderName;
 
 	private volatile boolean selectorHeaderInUse;
 
@@ -130,9 +132,11 @@ public int getCacheLimit() {
 	 * <pre style="code">
 	 * headers.foo == 'bar'
 	 * </pre>
-	 * <p>By default this is set to "selector". You can set it to a different
-	 * name, or to {@code null} to turn off support for a selector header.
-	 * @param selectorHeaderName the name to use for a selector header
+	 * <p>By default the selector header name is set to {@code null} which disables
+	 * this feature. You can set it to {@code "selector"} or a different name to
+	 * enable support for a selector header.
+	 * @param selectorHeaderName the name to use for a selector header, or {@code null}
+	 * or blank to disable selector header support
 	 * @since 4.2
 	 */
 	public void setSelectorHeaderName(@Nullable String selectorHeaderName) {
diff --git a/spring-messaging/src/main/java/org/springframework/messaging/simp/broker/SimpleBrokerMessageHandler.java b/spring-messaging/src/main/java/org/springframework/messaging/simp/broker/SimpleBrokerMessageHandler.java
@@ -61,7 +61,7 @@ public class SimpleBrokerMessageHandler extends AbstractBrokerMessageHandler {
 	private Integer cacheLimit;
 
 	@Nullable
-	private String selectorHeaderName = "selector";
+	private String selectorHeaderName;
 
 	@Nullable
 	private TaskScheduler taskScheduler;
@@ -172,11 +172,13 @@ private void initCacheLimitToUse() {
 	 * <pre style="code">
 	 * headers.foo == 'bar'
 	 * </pre>
-	 * <p>By default this is set to "selector". You can set it to a different
-	 * name, or to {@code null} to turn off support for a selector header.
+	 * <p>By default the selector header name is set to {@code null} which disables
+	 * this feature. You can set it to {@code "selector"} or a different name to
+	 * enable support for a selector header.
 	 * <p>Setting this property has no effect if the underlying SubscriptionRegistry
 	 * is not an instance of {@link DefaultSubscriptionRegistry}.
-	 * @param selectorHeaderName the name to use for a selector header
+	 * @param selectorHeaderName the name to use for a selector header, or {@code null}
+	 * or blank to disable selector header support
 	 * @since 4.3.17
 	 * @see #setSubscriptionRegistry
 	 * @see DefaultSubscriptionRegistry#setSelectorHeaderName(String)
diff --git a/spring-messaging/src/main/java/org/springframework/messaging/simp/config/SimpleBrokerRegistration.java b/spring-messaging/src/main/java/org/springframework/messaging/simp/config/SimpleBrokerRegistration.java
@@ -38,7 +38,7 @@ public class SimpleBrokerRegistration extends AbstractBrokerRegistration {
 	private long[] heartbeat;
 
 	@Nullable
-	private String selectorHeaderName = "selector";
+	private String selectorHeaderName;
 
 
 	/**
@@ -90,9 +90,11 @@ public SimpleBrokerRegistration setHeartbeatValue(long[] heartbeat) {
 	 * <pre style="code">
 	 * headers.foo == 'bar'
 	 * </pre>
-	 * <p>By default this is set to "selector". You can set it to a different
-	 * name, or to {@code null} to turn off support for a selector header.
-	 * @param selectorHeaderName the name to use for a selector header
+	 * <p>By default the selector header name is set to {@code null} which disables
+	 * this feature. You can set it to {@code "selector"} or a different name to
+	 * enable support for a selector header.
+	 * @param selectorHeaderName the name to use for a selector header, or {@code null}
+	 * or blank to disable selector header support
 	 * @since 4.3.17
 	 */
 	public void setSelectorHeaderName(@Nullable String selectorHeaderName) {
diff --git a/spring-messaging/src/test/java/org/springframework/messaging/simp/broker/DefaultSubscriptionRegistryTests.java b/spring-messaging/src/test/java/org/springframework/messaging/simp/broker/DefaultSubscriptionRegistryTests.java
@@ -253,7 +253,7 @@ void registerSubscriptionWithDestinationPatternRegex() {
 	}
 
 	@Test
-	void registerSubscriptionWithSelectorHeaderEnabledByDefault() {
+	void registerSubscriptionWithSelectorHeaderEnabled() {
 		String sessionId1 = "sess01";
 		String sessionId2 = "sess02";
 		String sessionId3 = "sess03";
@@ -264,6 +264,9 @@ void registerSubscriptionWithSelectorHeaderEnabledByDefault() {
 		String selector1 = "headers.foo == 'bar'";
 		String selector2 = "headers.foo == 'enigma'";
 
+		// Explicitly enable selector support
+		this.registry.setSelectorHeaderName("selector");
+
 		// Register subscription with matching selector header
 		this.registry.registerSubscription(subscribeMessage(sessionId1, subscriptionId1, destination, selector1));
 		// Register subscription with non-matching selector header
@@ -297,7 +300,7 @@ void registerSubscriptionWithSelectorHeaderEnabledByDefault() {
 	}
 
 	@Test
-	void registerSubscriptionWithSelectorHeaderDisabled() {
+	void registerSubscriptionWithSelectorHeaderDisabledByDefault() {
 		String sessionId1 = "sess01";
 		String sessionId2 = "sess02";
 		String sessionId3 = "sess03";
@@ -308,9 +311,6 @@ void registerSubscriptionWithSelectorHeaderDisabled() {
 		String selector1 = "headers.foo == 'bar'";
 		String selector2 = "headers.foo == 'enigma'";
 
-		// Explicitly disable selector header support
-		this.registry.setSelectorHeaderName(null);
-
 		// Register subscription with matching selector header
 		this.registry.registerSubscription(subscribeMessage(sessionId1, subscriptionId1, destination, selector1));
 		// Register subscription with non-matching selector header
diff --git a/spring-websocket/src/test/java/org/springframework/web/socket/config/annotation/WebSocketMessageBrokerConfigurationSupportTests.java b/spring-websocket/src/test/java/org/springframework/web/socket/config/annotation/WebSocketMessageBrokerConfigurationSupportTests.java
@@ -165,8 +165,8 @@ void taskScheduler() {
 	}
 
 	@Test
-	void selectorHeaderEnabledByDefault() {
-		ApplicationContext context = createContext(TestChannelConfig.class, TestConfigurer.class);
+	void selectorHeaderEnabled() {
+		ApplicationContext context = createContext(TestChannelConfig.class, SelectorHeaderConfigurer.class);
 		SimpleBrokerMessageHandler simpleBrokerMessageHandler = simpleBrokerMessageHandler(context);
 
 		assertThat(simpleBrokerMessageHandler.getSubscriptionRegistry())
@@ -176,8 +176,8 @@ void selectorHeaderEnabledByDefault() {
 	}
 
 	@Test
-	void selectorHeaderDisabled() {
-		ApplicationContext context = createContext(TestChannelConfig.class, SelectorHeaderConfigurer.class);
+	void selectorHeaderDisabledByDefault() {
+		ApplicationContext context = createContext(TestChannelConfig.class, TestConfigurer.class);
 		SimpleBrokerMessageHandler simpleBrokerMessageHandler = simpleBrokerMessageHandler(context);
 
 		assertThat(simpleBrokerMessageHandler.getSubscriptionRegistry())
@@ -282,8 +282,8 @@ public void registerStompEndpoints(StompEndpointRegistry registry) {
 
 		@Override
 		public void configureMessageBroker(MessageBrokerRegistry registry) {
-			// Explicitly disable selector header support
-			registry.enableSimpleBroker().setSelectorHeaderName(null);
+			// Explicitly enable selector header support
+			registry.enableSimpleBroker().setSelectorHeaderName("selector");
 		}
 
 	}
diff --git a/spring-websocket/src/test/java/org/springframework/web/socket/messaging/StompWebSocketIntegrationTests.java b/spring-websocket/src/test/java/org/springframework/web/socket/messaging/StompWebSocketIntegrationTests.java
@@ -320,7 +320,7 @@ public void registerStompEndpoints(StompEndpointRegistry registry) {
 		@Override
 		public void configureMessageBroker(MessageBrokerRegistry configurer) {
 			configurer.setApplicationDestinationPrefixes("/app");
-			configurer.enableSimpleBroker("/topic", "/queue");
+			configurer.enableSimpleBroker("/topic", "/queue").setSelectorHeaderName("selector");
 		}
 
 		@Bean

Original file line number	Diff line number	Diff line change
`@@ -320,7 +320,7 @@ public void registerStompEndpoints(StompEndpointRegistry registry) {`
`320`	`320`	`@Override`
`321`	`321`	`public void configureMessageBroker(MessageBrokerRegistry configurer) {`
`322`	`322`	`configurer.setApplicationDestinationPrefixes("/app");`
`323`		`- configurer.enableSimpleBroker("/topic", "/queue");`
	`323`	`+ configurer.enableSimpleBroker("/topic", "/queue").setSelectorHeaderName("selector");`
`324`	`324`	`}`
`325`	`325`
`326`	`326`	`@Bean`