Expression language injection
Description
Expression Language (EL) Injection is a code injection vulnerability that occurs when user-controlled input is evaluated by an Expression Language interpreter without proper validation or sanitization. Expression Language is a scripting feature commonly used in Java web applications (JSP, JSTL, Spring, Struts2) to access and manipulate data within templates and views. Common EL implementations include JSP EL (part of JSTL), OGNL (used by Struts2), MVEL, and Spring Expression Language (SpEL). When attackers can inject EL expressions (typically using ${...} or #{...} syntax), they may execute arbitrary code, access sensitive server-side objects, or manipulate application logic.
Remediation
Implement the following security controls to prevent Expression Language Injection:
1. Input Validation: Validate all user input against a strict allowlist of expected characters and patterns. Reject any input containing EL metacharacters such as ${, #{, }, or encoded variations.
2. Avoid Dynamic EL Evaluation: Never pass user input directly to EL evaluation functions. Avoid using user-controlled data in EL expressions or JSP tags that evaluate expressions dynamically.
3. Output Encoding: Apply proper output encoding before data reaches the EL interpreter. Encode special characters to prevent them from being interpreted as EL syntax:
// Example: Escape EL metacharacters
String safeInput = userInput.replace("${", "\\${").replace("#{", "\\#{");
4. Use Safe Alternatives: When possible, use parameterized or pre-compiled expressions rather than constructing EL expressions from user input. Consider using JSTL's
<c:out> tag with proper escaping:
<!-- Safe approach -->
<c:out value="${userInput}" escapeXml="true"/>
<!-- Unsafe approach - avoid -->
${param.userInput}
5. Restrict EL Capabilities: Configure your application server to disable or restrict EL evaluation in user-facing contexts where it's not required. Implement security policies that limit access to sensitive objects within the EL scope.