Skip to content

Fix SpEL injection (potential RCE) in DsSpelExpressionProcessor#767

Merged
huayanYu merged 3 commits intomasterfrom
copilot/fix-spel-injection-issue
Apr 18, 2026
Merged

Fix SpEL injection (potential RCE) in DsSpelExpressionProcessor#767
huayanYu merged 3 commits intomasterfrom
copilot/fix-spel-injection-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 31, 2026
edited
Loading

DsSpelExpressionProcessor evaluated @DS annotation values using StandardEvaluationContext with no restrictions, allowing T(java.lang.Runtime) type references and constructor expressions to execute arbitrary code if an attacker-controlled value reached the SpEL evaluator.

Changes

  • DsSpelExpressionProcessor.java: Harden the StandardEvaluationContext before evaluation (enabled by default, opt-out via configuration):

    • Override TypeLocator to throw EvaluationException on any type lookup — blocks T(...) expressions
    • Set empty constructor resolvers — blocks new SomeClass(...) expressions
    • Bean resolution (@beanName), parameter access (#param), and property traversal (#obj.field) are unaffected
    • New allowedSpelTypeAccess field (default false) and setAllowedSpelTypeAccess(boolean) setter allow users to explicitly opt in to the original unrestricted behavior

  • DynamicDatasourceAopProperties.java: New allowedSpelTypeAccess property (default false) exposed as spring.datasource.dynamic.aop.allowed-spel-type-access. Set to true to restore the original behavior — only do this if you fully understand the security implications.

  • DynamicDataSourceAopConfiguration.java (Spring Boot 2, 3, and 4 variants): Wire allowedSpelTypeAccess from properties into DsSpelExpressionProcessor.

  • DsSpelExpressionProcessorSecurityTest: Unit tests confirming #param resolution still works, that T(java.lang.Runtime).getRuntime().exec('id') and new java.lang.ProcessBuilder('id').start() both throw EvaluationException by default, and that setting allowedSpelTypeAccess=true lifts the restriction.

Warning

Setting spring.datasource.dynamic.aop.allowed-spel-type-access=true restores the original unrestricted SpEL evaluation and exposes your application to SpEL injection / RCE if datasource key expressions can be influenced by untrusted input. Only enable this if you genuinely need T(...) or new expressions and accept the risk.

Copilot AI linked an issue Mar 31, 2026 that may be closed by this pull request
[Vulnerability] SpEL Injection in baomidou_dynamic-datasource #766
Closed
Copilot AI changed the title [WIP] Fix SpEL injection vulnerability in dynamic-datasource Fix SpEL injection (potential RCE) in DsSpelExpressionProcessor Mar 31, 2026
Copilot AI requested a review from huayanYu March 31, 2026 10:12
@huayanYu
Copy link
Copy Markdown
Member

huayanYu commented Mar 31, 2026

@copilot 正确的修改方案应该提供开关,默认禁用,手动配置了允许则保持原样,用户应该自己意识到手动开启后带来的危险。

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Mar 31, 2026
edited
Loading

@copilot 正确的修改方案应该提供开关,默认禁用,手动配置了允许则保持原样,用户应该自己意识到手动开启后带来的危险。

Done in commit 9b7acde. Added an allowedSpelTypeAccess toggle (default false = restricted/safe):

  • DsSpelExpressionProcessor — new allowedSpelTypeAccess field (default false) controls whether T(...) type references and new constructor expressions are permitted.
  • DynamicDatasourceAopProperties — new allowedSpelTypeAccess property, default false.
  • All three DynamicDataSourceAopConfiguration classes (Spring Boot 2 / 3 / 4) — wire the property into spelExpressionProcessor.setAllowedSpelTypeAccess(...).

To restore the original (unrestricted) behavior, users explicitly set:

spring:
  datasource:
    dynamic:
      aop:
        allowed-spel-type-access: true

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • maven.aliyun.com
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED -XX:MaxMetaspaceSize=512m -XX:+HeapDumpOnOutOfMemoryError -Xmx2048m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

@huayanYu huayanYu marked this pull request as ready for review April 13, 2026 03:42
Copilot AI review requested due to automatic review settings April 13, 2026 03:42
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens SpEL evaluation in DsSpelExpressionProcessor to reduce the risk of SpEL injection leading to RCE when resolving datasource keys, and exposes an opt-out configuration flag to restore legacy (unsafe) behavior.

Changes:

  • Add a default “restricted” mode that blocks SpEL T(...) type references and new constructor expressions during datasource key evaluation.
  • Introduce allowedSpelTypeAccess configuration (properties + auto-configuration wiring) to opt back into the original unrestricted behavior.
  • Add unit tests validating default blocking behavior and opt-in behavior.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
dynamic-datasource-spring/src/main/java/com/baomidou/dynamic/datasource/processor/DsSpelExpressionProcessor.java Adds restricted SpEL evaluation mode and an opt-out setter.
dynamic-datasource-spring-boot-common/src/main/java/com/baomidou/dynamic/datasource/spring/boot/autoconfigure/DynamicDatasourceAopProperties.java Adds allowedSpelTypeAccess property for configuration binding.
dynamic-datasource-spring-boot-starter/src/main/java/com/baomidou/dynamic/datasource/spring/boot/autoconfigure/DynamicDataSourceAopConfiguration.java Wires the new property into DsSpelExpressionProcessor (Boot 2 line).
dynamic-datasource-spring-boot3-starter/src/main/java/com/baomidou/dynamic/datasource/spring/boot/autoconfigure/DynamicDataSourceAopConfiguration.java Wires the new property into DsSpelExpressionProcessor (Boot 3 line).
dynamic-datasource-spring-boot4-starter/src/main/java/com/baomidou/dynamic/datasource/spring/boot/autoconfigure/DynamicDataSourceAopConfiguration.java Wires the new property into DsSpelExpressionProcessor (Boot 4 line).
dynamic-datasource-spring-boot3-starter/src/test/java/com/baomidou/dynamic/datasource/common/v3/DsSpelExpressionProcessorSecurityTest.java Adds tests covering restricted default behavior and opt-in behavior.

Comment thread ...pring/src/main/java/com/baomidou/dynamic/datasource/processor/DsSpelExpressionProcessor.java
Comment on lines +99 to +105
if (!allowedSpelTypeAccess) {
// Prevent SpEL injection: block T(...) type references and new instance creation
context.setTypeLocator(typeName -> {
throw new EvaluationException("Type access is not allowed in DS SpEL expressions: " + typeName);
});
context.setConstructorResolvers(Collections.emptyList());
}
Comment thread ...om/baomidou/dynamic/datasource/spring/boot/autoconfigure/DynamicDatasourceAopProperties.java
* Set to true only if your application genuinely requires such expressions and you
* fully understand the security risk.
*/
private Boolean allowedSpelTypeAccess = false;
Comment thread ...st/java/com/baomidou/dynamic/datasource/common/v3/DsSpelExpressionProcessorSecurityTest.java
Comment on lines +61 to +71
// T(...) type references must be blocked to prevent SpEL injection / RCE
assertThrows(EvaluationException.class, () ->
processor.doDetermineDatasource(invocation, "T(java.lang.Runtime).getRuntime().exec('id')")
);
}

@Test
void newInstanceExpressionShouldBeBlockedByDefault() {
// new Type(...) constructor invocations must also be blocked
assertThrows(EvaluationException.class, () ->
processor.doDetermineDatasource(invocation, "new java.lang.ProcessBuilder('id').start()")
Comment thread ...st/java/com/baomidou/dynamic/datasource/common/v3/DsSpelExpressionProcessorSecurityTest.java
Comment on lines +69 to +71
// new Type(...) constructor invocations must also be blocked
assertThrows(EvaluationException.class, () ->
processor.doDetermineDatasource(invocation, "new java.lang.ProcessBuilder('id').start()")
@huayanYu huayanYu merged commit 273fced into master Apr 18, 2026
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@huayanYu huayanYu Awaiting requested review from huayanYu

Assignees

@huayanYu huayanYu

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Vulnerability] SpEL Injection in baomidou_dynamic-datasource

3 participants

@huayanYu