Quantcast

ANN: Grails Data Binding Security Advisory

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ANN: Grails Data Binding Security Advisory

Graeme Rocher
Administrator
Hi all,

FYI we have posted a security advisory regarding a known security
vulnerability in Grails versions below 2.0.2 and 1.3.8:

http://www.springsource.com/security/cve-2012-1833

This issue is only present if no explicit whitelists are used. Please see

http://blog.springsource.org/2012/03/28/secure-data-binding-with-grails/

For further information. If you have any questions don't hesitate to ask.

Cheers

--
Graeme Rocher
Grails Project Lead
SpringSource - A Division of VMware
http://www.springsource.com

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ANN: Grails Data Binding Security Advisory

Dave Cramer-6
I was actually using injection to get access to a service in a
CommandObject validator.

Is there a way to do this now ?

Dave

On Thu, Mar 29, 2012 at 4:01 PM, Graeme Rocher <[hidden email]> wrote:

> Hi all,
>
> FYI we have posted a security advisory regarding a known security
> vulnerability in Grails versions below 2.0.2 and 1.3.8:
>
> http://www.springsource.com/security/cve-2012-1833
>
> This issue is only present if no explicit whitelists are used. Please see
>
> http://blog.springsource.org/2012/03/28/secure-data-binding-with-grails/
>
> For further information. If you have any questions don't hesitate to ask.
>
> Cheers
>
> --
> Graeme Rocher
> Grails Project Lead
> SpringSource - A Division of VMware
> http://www.springsource.com
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ANN: Grails Data Binding Security Advisory

maik
> I was actually using injection to get access to a service in a
> CommandObject validator.
>
> Is there a way to do this now ?

Not sure, if i understand your problem.

You can pass the validated object with injected service to the validator
closure:

class SampleCommand {
 def sampleService
 String sampleString
 static constraints = {
  sampleString(validator: { sampleString, sampleCommand ->
   sampleCommand.sampleService.validate(sampleString)
  })
 }
}

Or you can use the grails constraints plugin, which supports injection.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ANN: Grails Data Binding Security Advisory

Dave Englert
The below example is very similar to the example I posted a couple of
weeks ago (Grails 1.3.8 - Problem: dependency injection happening
after command validation).

It doesn't work in Grails 1.3.8, some of our tests fail after upgrading.

You get a null pointer exception as sampleService is not injected into
the command by the time the constraint is evaluated.

We are holding off moving to 1.3.8 until this is resolved.


On Fri, Apr 13, 2012 at 3:01 PM, maik <[hidden email]> wrote:

>> I was actually using injection to get access to a service in a
>> CommandObject validator.
>>
>> Is there a way to do this now ?
>
> Not sure, if i understand your problem.
>
> You can pass the validated object with injected service to the validator
> closure:
>
> class SampleCommand {
>  def sampleService
>  String sampleString
>  static constraints = {
>  sampleString(validator: { sampleString, sampleCommand ->
>   sampleCommand.sampleService.validate(sampleString)
>  })
>  }
> }
>
> Or you can use the grails constraints plugin, which supports injection.
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ANN: Grails Data Binding Security Advisory

Jeff Scott Brown
On Mon, Apr 16, 2012 at 8:04 AM, David Englert <[hidden email]> wrote:

> The below example is very similar to the example I posted a couple of
> weeks ago (Grails 1.3.8 - Problem: dependency injection happening
> after command validation).
>
> It doesn't work in Grails 1.3.8, some of our tests fail after upgrading.
>
> You get a null pointer exception as sampleService is not injected into
> the command by the time the constraint is evaluated.
>
> We are holding off moving to 1.3.8 until this is resolved.
>
>

See http://jira.grails.org/browse/GRAILS-9027.



jb
--
Jeff Brown
SpringSource
http://www.springsource.com/

Autism Strikes 1 in 166
Find The Cause ~ Find The Cure
http://www.autismspeaks.org/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ANN: Grails Data Binding Security Advisory

Dave Englert
Awesome - thanks!

On Mon, Apr 16, 2012 at 2:53 PM, Jeff Brown <[hidden email]> wrote:

> On Mon, Apr 16, 2012 at 8:04 AM, David Englert <[hidden email]> wrote:
>> The below example is very similar to the example I posted a couple of
>> weeks ago (Grails 1.3.8 - Problem: dependency injection happening
>> after command validation).
>>
>> It doesn't work in Grails 1.3.8, some of our tests fail after upgrading.
>>
>> You get a null pointer exception as sampleService is not injected into
>> the command by the time the constraint is evaluated.
>>
>> We are holding off moving to 1.3.8 until this is resolved.
>>
>>
>
> See http://jira.grails.org/browse/GRAILS-9027.
>
>
>
> jb
> --
> Jeff Brown
> SpringSource
> http://www.springsource.com/
>
> Autism Strikes 1 in 166
> Find The Cause ~ Find The Cure
> http://www.autismspeaks.org/
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Loading...