Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SimpleEvaluationContext does not enforce read-only semantics #33320

Closed
github-actions bot opened this issue Aug 5, 2024 · 3 comments
Closed

SimpleEvaluationContext does not enforce read-only semantics #33320

github-actions bot opened this issue Aug 5, 2024 · 3 comments
Assignees
Labels
in: core Issues in core modules (aop, beans, core, context, expression) type: backport An issue that is a backport of another issue to a maintenance branch type: bug A general bug
Milestone

Comments

@github-actions
Copy link
Contributor

github-actions bot commented Aug 5, 2024

Backport of gh-33319

@github-actions github-actions bot added in: core Issues in core modules (aop, beans, core, context, expression) type: backport An issue that is a backport of another issue to a maintenance branch type: bug A general bug labels Aug 5, 2024
@github-actions github-actions bot added this to the 5.3.38 milestone Aug 5, 2024
@sbrannen sbrannen self-assigned this Aug 5, 2024
sbrannen added a commit that referenced this issue Aug 6, 2024
SimpleEvaluationContext.forReadOnlyDataBinding() documents that it
creates a SimpleEvaluationContext for read-only access to public
properties; however, prior to this commit write access was not disabled
for indexed structures when using the assignment operator, the
increment operator, or the decrement operator.

In order to better align with the documented contract for
forReadOnlyDataBinding(), this commit makes it possible to disable
assignment in general in order to enforce read-only semantics for
SpEL's SimpleEvaluationContext when created via the
forReadOnlyDataBinding() factory method. Specifically:

- This commit introduces a new isAssignmentEnabled() "default" method
  in the EvaluationContext API, which returns true by default.

- SimpleEvaluationContext overrides isAssignmentEnabled(), returning
  false if the context was created via the forReadOnlyDataBinding()
  factory method.

- The Assign, OpDec, and OpInc AST nodes -- representing the assignment
  (=), increment (++), and decrement (--) operators, respectively --
  now throw a SpelEvaluationException if assignment is disabled for the
  current EvaluationContext.

See gh-33319
Closes gh-33320

(cherry picked from commit e1ab306)
Copy link
Contributor Author

github-actions bot commented Aug 6, 2024

Fixed via 26f2dad

@github-actions github-actions bot closed this as completed Aug 6, 2024
@sbrannen
Copy link
Member

Reopening to introduce SimpleEvaluationContext.Builder.withAssignmentDisabled().

@sbrannen sbrannen reopened this Aug 13, 2024
sbrannen added a commit that referenced this issue Aug 13, 2024
To support additional use cases, this commit introduces a
withAssignmentDisabled() method in the Builder for
SimpleEvaluationContext.

See gh-33319
Closes gh-33320

(cherry picked from commit 79c7bfd)
Copy link
Contributor Author

Fixed via f9c3d00

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: core Issues in core modules (aop, beans, core, context, expression) type: backport An issue that is a backport of another issue to a maintenance branch type: bug A general bug
Projects
None yet
Development

No branches or pull requests

1 participant