there is a Expression Language Injection risk.Expression Language (EL) Injection happens when attacker controlled data enters an EL interpreter.
the code is:
if (request.getSettingKey() != null) { // 实现单个设置的更新 ProjectSetting setting = getById(request.getId()).getSetting(); spelParser.parseExpression(request.getSettingKey()).setValue(setting, request.getSettingValue()); project.setSetting(setting); // 同步更新项目状态 if ("status".equals(request.getSettingKey())) { project.setStatus((Integer) request.getSettingValue()); }
javahuang
commented
2 years ago
there is a Expression Language Injection risk.Expression Language (EL) Injection happens when attacker controlled data enters an EL interpreter. the code is:
if (request.getSettingKey() != null) { // 实现单个设置的更新 ProjectSetting setting = getById(request.getId()).getSetting(); spelParser.parseExpression(request.getSettingKey()).setValue(setting, request.getSettingValue()); project.setSetting(setting); // 同步更新项目状态 if ("status".equals(request.getSettingKey())) { project.setStatus((Integer) request.getSettingValue()); }