The code example below is vulnerable to Spring4Shell
@RestController
public class ExampleController {
@GetMapping("/greeting")
public String greeting(@RequestParam(name="name", required=false, defaultValue="World") String name) {
String message = "Hello, " + name + "!";
return message;
}
}The name parameter is not properly validated or sanitized. It can be exploited by an attacker to inject malicious code and execute arbitrary commands on the server. An attacker might exploit this vulnerability:
[java -jar Example.jar "$(gopher://127.0.0.1:12345/_Log4j_JNDI)"](http://example.com/greeting?name=${T(java.lang.Runtime).getRuntime().exec('ls').getText()})To prevent malicious code injection, you should always validate and sanitize any user input that is used to construct a command or execute code on the server. In the case of this example code, you could sanitize the name parameter by escaping any special characters that could be used to inject code. Here is an example fix that uses the StringEscapeUtils.escapeHtml4 method from the Apache Commons Lang library to sanitize the name parameter:
import org.apache.commons.lang3.StringEscapeUtils;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class ExampleController {
@GetMapping("/greeting")
public String greeting(@RequestParam(name="name", required=false, defaultValue="World") String name) {
String sanitizedName = StringEscapeUtils.escapeHtml4(name);
String message = "Hello, " + sanitizedName + "!";
return message;
}
}