search

morincer / teamcity-plugin-saml

The plug-in adds ability to authenticate users by SAML-based SSO providers (like Okta, Onelogin etc.)
MIT License
24 stars 16 forks source link

Use SimpleEvaluationContext instead of StandardEvaluationContext #126

Closed Linfar closed 5 months ago

Linfar commented 5 months ago

StandardEvaluationContext allows arbitrary code, including Runtime class which in its turn can lead to an RCE. Eg https://codethreat.medium.com/reminiscences-of-another-el-injection-62a3335cd22.

It looks like SimpleEvaluationContext can be safely used instead.