Make max length of SpEL expressions in an ApplicationContext configurable

This commit introduces support for a Spring property named `spring.context.expression.maxLength`. When set, the value of that property is used internally in StandardBeanExpressionResolver to configure the SpelParserConfiguration used when evaluating String values in bean definitions, @⁠Value, etc. Closes gh-31952
2024-01-09 11:09:44 +01:00 · 2024-01-09 11:09:44 +01:00 · 785598629a
parent 3452354a11
commit 785598629a
5 changed files with 126 additions and 6 deletions
--- a/framework-docs/modules/ROOT/pages/appendix.adoc
+++ b/framework-docs/modules/ROOT/pages/appendix.adoc
@ -28,6 +28,11 @@ JavaBeans `Introspector`. See
 {spring-framework-api}++/beans/StandardBeanInfoFactory.html#IGNORE_BEANINFO_PROPERTY_NAME++[`CachedIntrospectionResults`]
 for details.
 | `spring.context.expression.maxLength`
 | The maximum length for
 xref:core/expressions/evaluation.adoc#expressions-parser-configuration[Spring Expression Language]
 expressions used in XML bean definitions, `@Value`, etc.
 | `spring.expression.compiler.mode`
 | The mode to use when compiling expressions for the
 xref:core/expressions/evaluation.adoc#expressions-compiler-configuration[Spring Expression Language].
--- a/framework-docs/modules/ROOT/pages/core/expressions/evaluation.adoc
+++ b/framework-docs/modules/ROOT/pages/core/expressions/evaluation.adoc
@ -380,6 +380,15 @@ Kotlin::
 ----
 ======
 By default, a SpEL expression cannot contain more than 10,000 characters; however, the
 `maxExpressionLength` is configurable. If you create a `SpelExpressionParser`
 programmatically, you can specify a custom `maxExpressionLength` when creating the
 `SpelParserConfiguration` that you provide to the `SpelExpressionParser`. If you wish to
 set the `maxExpressionLength` used for parsing SpEL expressions within an
 `ApplicationContext` -- for example, in XML bean definitions, `@Value`, etc. -- you can
 set a JVM system property or Spring property named `spring.context.expression.maxLength`
 to the maximum expression length needed by your application (see
 xref:appendix.adoc#appendix-spring-properties[Supported Spring Properties]).
 [[expressions-spel-compilation]]
--- a/spring-context/src/main/java/org/springframework/context/expression/StandardBeanExpressionResolver.java
+++ b/spring-context/src/main/java/org/springframework/context/expression/StandardBeanExpressionResolver.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -23,6 +23,7 @@ import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.BeanExpressionException;
 import org.springframework.beans.factory.config.BeanExpressionContext;
 import org.springframework.beans.factory.config.BeanExpressionResolver;
 import org.springframework.core.SpringProperties;
 import org.springframework.core.convert.ConversionService;
 import org.springframework.core.convert.support.DefaultConversionService;
 import org.springframework.expression.Expression;
@ -47,6 +48,7 @@ import org.springframework.util.StringUtils;
 * beans such as "environment", "systemProperties" and "systemEnvironment".
 *
 * @author Juergen Hoeller
 * @author Sam Brannen
 * @since 3.0
 * @see BeanExpressionContext#getBeanFactory()
 * @see org.springframework.expression.ExpressionParser
@ -55,6 +57,14 @@ import org.springframework.util.StringUtils;
 */
 public class StandardBeanExpressionResolver implements BeanExpressionResolver {
 	/**
 	 * System property to configure the maximum length for SpEL expressions: {@value}.
 	 * <p>Can also be configured via the {@link SpringProperties} mechanism.
 	 * @since 6.1.3
 	 * @see SpelParserConfiguration#getMaximumExpressionLength()
 	 */
 	public static final String MAX_SPEL_EXPRESSION_LENGTH_PROPERTY_NAME = "spring.context.expression.maxLength";
 	/** Default expression prefix: "#{". */
 	public static final String DEFAULT_EXPRESSION_PREFIX = "#{";
@ -90,18 +100,24 @@ public class StandardBeanExpressionResolver implements BeanExpressionResolver {
 	/**
 	 * Create a new {@code StandardBeanExpressionResolver} with default settings.
 	 * <p>As of Spring Framework 6.1.3, the maximum SpEL expression length can be
 	 * configured via the {@link #MAX_SPEL_EXPRESSION_LENGTH_PROPERTY_NAME} property.
 	 */
 	public StandardBeanExpressionResolver() {
-		this.expressionParser = new SpelExpressionParser();
+		this(null);
 	}
 	/**
 	 * Create a new {@code StandardBeanExpressionResolver} with the given bean class loader,
 	 * using it as the basis for expression compilation.
 	 * <p>As of Spring Framework 6.1.3, the maximum SpEL expression length can be
 	 * configured via the {@link #MAX_SPEL_EXPRESSION_LENGTH_PROPERTY_NAME} property.
 	 * @param beanClassLoader the factory's bean class loader
 	 */
 	public StandardBeanExpressionResolver(@Nullable ClassLoader beanClassLoader) {
-		this.expressionParser = new SpelExpressionParser(new SpelParserConfiguration(null, beanClassLoader));
+		SpelParserConfiguration parserConfig = new SpelParserConfiguration(
 				null, beanClassLoader, false, false, Integer.MAX_VALUE, retrieveMaxExpressionLength());
 		this.expressionParser = new SpelExpressionParser(parserConfig);
 	}
@ -178,4 +194,22 @@ public class StandardBeanExpressionResolver implements BeanExpressionResolver {
 	protected void customizeEvaluationContext(StandardEvaluationContext evalContext) {
 	}
 	private static int retrieveMaxExpressionLength() {
 		String value = SpringProperties.getProperty(MAX_SPEL_EXPRESSION_LENGTH_PROPERTY_NAME);
 		if (!StringUtils.hasText(value)) {
 			return SpelParserConfiguration.DEFAULT_MAX_EXPRESSION_LENGTH;
 		}
 		try {
 			int maxLength = Integer.parseInt(value.trim());
 			Assert.isTrue(maxLength > 0, () -> "Value [" + maxLength + "] for system property ["
 					+ MAX_SPEL_EXPRESSION_LENGTH_PROPERTY_NAME + "] must be positive");
 			return maxLength;
 		}
 		catch (NumberFormatException ex) {
 			throw new IllegalArgumentException("Failed to parse value for system property [" +
 					MAX_SPEL_EXPRESSION_LENGTH_PROPERTY_NAME + "]: " + ex.getMessage(), ex);
 		}
 	}
 }
--- a/spring-context/src/test/java/org/springframework/context/expression/ApplicationContextExpressionTests.java
+++ b/spring-context/src/test/java/org/springframework/context/expression/ApplicationContextExpressionTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -28,6 +28,7 @@ import java.util.Properties;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.ObjectFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
@ -42,17 +43,24 @@ import org.springframework.beans.testfixture.beans.TestBean;
 import org.springframework.context.annotation.AnnotationConfigApplicationContext;
 import org.springframework.context.annotation.AnnotationConfigUtils;
 import org.springframework.context.support.GenericApplicationContext;
 import org.springframework.core.SpringProperties;
 import org.springframework.core.convert.support.DefaultConversionService;
 import org.springframework.core.convert.support.GenericConversionService;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.core.io.Resource;
 import org.springframework.core.io.support.EncodedResource;
 import org.springframework.core.testfixture.io.SerializationTestUtils;
 import org.springframework.expression.spel.SpelEvaluationException;
 import org.springframework.util.FileCopyUtils;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
 import static org.springframework.context.expression.StandardBeanExpressionResolver.MAX_SPEL_EXPRESSION_LENGTH_PROPERTY_NAME;
 /**
 * Integration tests for SpEL expression support in an {@code ApplicationContext}.
 *
 * @author Juergen Hoeller
 * @author Sam Brannen
 * @since 3.0
@ -268,6 +276,70 @@ class ApplicationContextExpressionTests {
 		}
 	}
 	@Test
 	void maxSpelExpressionLengthMustBeAnInteger() {
 		doWithMaxSpelExpressionLength("boom", () -> {
 			try (AnnotationConfigApplicationContext ac = new AnnotationConfigApplicationContext()) {
 				assertThatIllegalArgumentException()
 						.isThrownBy(ac::refresh)
 						.withMessageStartingWith("Failed to parse value for system property [%s]",
 								MAX_SPEL_EXPRESSION_LENGTH_PROPERTY_NAME)
 						.withMessageContaining("boom");
 			}
 		});
 	}
 	@Test
 	void maxSpelExpressionLengthMustBePositive() {
 		doWithMaxSpelExpressionLength("-99", () -> {
 			try (AnnotationConfigApplicationContext ac = new AnnotationConfigApplicationContext()) {
 				assertThatIllegalArgumentException()
 						.isThrownBy(ac::refresh)
 						.withMessage("Value [%d] for system property [%s] must be positive", -99,
 								MAX_SPEL_EXPRESSION_LENGTH_PROPERTY_NAME);
 			}
 		});
 	}
 	@Test
 	void maxSpelExpressionLength() {
 		final String expression = "#{ 'xyz' + 'xyz' + 'xyz' }";
 		// With the default max length of 10_000, the expression should succeed.
 		evaluateExpressionInBean(expression);
 		// With a max length of 20, the expression should fail.
 		doWithMaxSpelExpressionLength("20", () ->
 				assertThatExceptionOfType(BeanCreationException.class)
 					.isThrownBy(() -> evaluateExpressionInBean(expression))
 					.havingRootCause()
 						.isInstanceOf(SpelEvaluationException.class)
 						.withMessageEndingWith("exceeding the threshold of '20' characters"));
 	}
 	private static void doWithMaxSpelExpressionLength(String maxLength, Runnable action) {
 		try {
 			SpringProperties.setProperty(MAX_SPEL_EXPRESSION_LENGTH_PROPERTY_NAME, maxLength);
 			action.run();
 		}
 		finally {
 			SpringProperties.setProperty(MAX_SPEL_EXPRESSION_LENGTH_PROPERTY_NAME, null);
 		}
 	}
 	private static void evaluateExpressionInBean(String expression) {
 		try (AnnotationConfigApplicationContext ac = new AnnotationConfigApplicationContext()) {
 			GenericBeanDefinition bd = new GenericBeanDefinition();
 			bd.setBeanClass(String.class);
 			bd.getConstructorArgumentValues().addGenericArgumentValue(expression);
 			ac.registerBeanDefinition("str", bd);
 			ac.refresh();
 			String str = ac.getBean("str", String.class);
 			assertThat(str).isEqualTo("xyz".repeat(3)); // "#{ 'xyz' + 'xyz' + 'xyz' }"
 		}
 	}
 	@SuppressWarnings("serial")
 	public static class ValueTestBean implements Serializable {
--- a/spring-expression/src/main/java/org/springframework/expression/spel/SpelParserConfiguration.java
+++ b/spring-expression/src/main/java/org/springframework/expression/spel/SpelParserConfiguration.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -35,7 +35,7 @@ public class SpelParserConfiguration {
 	 * Default maximum length permitted for a SpEL expression.
 	 * @since 5.2.24
 	 */
-	private static final int DEFAULT_MAX_EXPRESSION_LENGTH = 10_000;
+	public static final int DEFAULT_MAX_EXPRESSION_LENGTH = 10_000;
 	/** System property to configure the default compiler mode for SpEL expression parsers: {@value}. */
 	public static final String SPRING_EXPRESSION_COMPILER_MODE_PROPERTY_NAME = "spring.expression.compiler.mode";