beth-linker · beth-linker · Sep 30, 2024
diff --git a/src/main/java/io/shiftleft/controller/SearchController.java b/src/main/java/io/shiftleft/controller/SearchController.java
@@ -23,7 +23,8 @@ public String doGetSearch(@RequestParam String foo, HttpServletResponse response
     try {
       ExpressionParser parser = new SpelExpressionParser();
       Expression exp = parser.parseExpression(foo);
-      message = (Object) exp.getValue();
+      SimpleEvaluationContext context = SimpleEvaluationContext.forReadWriteDataBinding().build();
+      message = (Object) exp.getValue(context);
@@ -23,5 +23,7 @@
    try {
+      // Sanitize user input
+      String sanitizedFoo = foo.replaceAll("[^a-zA-Z0-9]", "");
      ExpressionParser parser = new SpelExpressionParser();
-      Expression exp = parser.parseExpression(foo);
-      SimpleEvaluationContext context = SimpleEvaluationContext.forReadWriteDataBinding().build();
+      Expression exp = parser.parseExpression(sanitizedFoo);
+      SimpleEvaluationContext context = SimpleEvaluationContext.forReadWriteDataBinding().withInstanceMethods().build();
      message = (Object) exp.getValue(context);
@@ -23,5 +23,7 @@
    try {
+      // Sanitize user input
+      String sanitizedFoo = foo.replaceAll("[^a-zA-Z0-9]", "");
      ExpressionParser parser = new SpelExpressionParser();
-      Expression exp = parser.parseExpression(foo);
-      SimpleEvaluationContext context = SimpleEvaluationContext.forReadWriteDataBinding().build();
+      Expression exp = parser.parseExpression(sanitizedFoo);
+      SimpleEvaluationContext context = SimpleEvaluationContext.forReadWriteDataBinding().withInstanceMethods().build();
      message = (Object) exp.getValue(context);
     } catch (Exception ex) {
       System.out.println(ex.getMessage());
     }