Spring Cloud Routing Function and SPEL Expression injection - CVE-2022-22963 - spring-boot

I am having a springboot application and my local maven repository is having spring cloud dependencies present in it. I understand that for someone to use the CVE-2022-22963 vulnerability, the code should written to use the Spring Cloud routing function. Presence of the the spring cloud jar dependencies is alone not enough to exploit this vulnerability.
As per this link (https://sysdig.com/blog/cve-2022-22963-spring-cloud/),
The issue with CVE-2022-22963 is that it permits using HTTP request header spring.cloud.function.routing-expression parameter and SpEL expression to be injected and executed through StandardEvaluationContext.

Related

what does "spring-kafka without springboot" mean

I'm totally new to Kafka and terribly confused by this:
https://docs.spring.io/spring-kafka/reference/html/#with-java-configuration-no-spring-boot
I don't understand what that even means. What does "no spring boot mean" because that example sure as hell uses spring boot. I'm so confused....
EDIT
if I'm using SpringBoot and spring-kafka, should I have to manually create #Bean ConcurrentKafkaListenerContainerFactory as shown here. Most of the examples in the docs for setting up filtering / config / etc seem to use the "manual" configuration using #Bean. Is that "normal"? The docs are very confusing to me...especially this warning:
Spring for Apache Kafka is designed to be used in a Spring Application Context. For example, if you create the listener container yourself outside of a Spring context, not all functions will work unless you satisfy all of the …​Aware interfaces that the container implements.
It's referring to the autowired configuration, as compared to putting each property in the config via HashMap/Properties in-code.
Also, it does not use #SpringBootApplication or SpringApplication.run, it just calls a regular main method using a hard-coded Config class.
Spring boot contains the functionality of AutoConfiguration
What this means is that spring boot when discovers some specific jar dependencies it knows, in the project, it automatically configures them to work on a basic level. This does not exist in simple Spring project where even if you add the dependency you have to also provide the configuration as to how it should work in your application.
This is also happening here with dependencies of Kafka. Therefore the documentation explains what more you have to configure if you don't have spring-boot with auto-configuration to make kafka work in a spring project.
Another question asked in comment is what happens in case you want some complex custom configuration instead of the automatic configuration provided while you are in a spring-boot app.
As documented
Auto-configuration tries to be as intelligent as possible and will
back-away as you define more of your own configuration. You can always
manually exclude() any configuration that you never want to apply (use
excludeName() if you don't have access to them). You can also exclude
them via the spring.autoconfigure.exclude property.
So if you want to have some complex configuration which is not automatically provided by spring-boot through some other mechanism like a spring-boot specific application property, then you can make your own configuration with your custom bean and then either automatic configuration from spring-boot for that class will back of as spring does several intelligent checks during application context set up or you will have to exclude the class from auto configuration manually.
In that case you could probably take as an example reference of how to register manually your complex configurations in spring boot what is documented on how to be done in non spring boot app. doc

Spring Data without Spring Boot

I want to use SpringData (JPA I guess to access Postgres) with my Spring / GWT project. I cannot use SpringBoot because it does not allow me to register a simple HttpServlet (the GWT RemoteServiceServlet). At least, I can't figure that out due to too much magic and poor documentation.
Can anyone point me at a sample Maven project that uses SpringData without SpringBoot?

Can SpringBoot be use for Backend application?

One of the Spring framework advantage is dependency injection. Many had used SpringBoot for providing REST Web Services.
Read up and notice there are Scheduler and CommandLineRunner for SpringBoot, could we using SpringBoot for backend type of application to replace the usual standalone java program while making use of SpringBoot advantage (Dependency Injection)
- Cron Job (Execute and stop running)
- Long Running Process
One of the main thing I am looking into is to use annotation such as Spring Configuration, Spring Data JPA and other technology in backend application.
Of course!
I used spring boot to back CLI projects, DB access projects and more.
Spring boot is very modular. It works by providing auto-configuration based on your maven/gradle imports. If you don't import starter-web/starter-jersey or any other starter that is for the web/rest api, the auto-configuration for this resources won't be triggered and you can basically enjoy all the power of spring boot to support your needs
Definitely,
Spring boot is not a separate framework.It reduces the configuration difficulties when you using spring framework. Spring boot provides a Rapid Application Development using without complex configuration including your dispatcher servlet, XML file for database connectivity and configuration files. You can use spring boot for back-end development. Simply says you can do everything what you does in spring MVC without any complex configuration. If you are using spring boot , You can configure your database details in application.properties file. I am adding one of two links for proper reading,
https://projects.spring.io/spring-boot/ ,
https://dzone.com/articles/why-springboot

How to use a Spring Boot enabled library inside a old-school spring server

tl/dr (How) Is it possible to use a jar library, that uses Spring Boot for configuration in a non Spring Boot (regular old-school Spring) server.
We have the problem, that we have a Spring server, that is from the pre-Boot times and we want to create a new library for it. We would like to use Spring Boot in the library (i.e. #EnableAutoConfiguration for configuration). To include the library we have put an spring.xml into the library that enables component-scan inside the library. The classes inside the library use #EnableAutoConfiguration and #EnableWebSecurity to enable configuration and security.
If we include now the library into our server and import the XML file from the library into the server's XML file, only parts of the configuration are working. The #RequestMappings in the library are working and the interfaces are available. However Spring security fails to register it's default filter chain, leading to ugly errors, where the regular Spring Boot config should already work with AnonymousAuthorizationFilter, etc.
We debugged, that the FilterRegistrationBean in spring security is never configured when running that way (and is, if we are running as a Spring Boot application).
So is there a common way how to deal with Spring Boot enabled libraries inside old-school Spring servers?
Is placing a single XML to enable component-scan in the library and importing this XML inside the main server's XML the correct way to include Spring Boot libraries (and how would be the best way, if the server would use Spring Boot itself)?
Does anyone know of the issue with a missing Spring Security filter chain?
PS: I know that we can add the required filters manually. However if we would do that, we would anyway get rid of Spring Boot completely in the library, so this question mainly aims for how to do it with Spring Boot. Of course if it is the wrong way to enable Spring Boot inside a library, please also mention that :-)

Security configuration without XML with custom filters?

I'm using Spring Boot in STS to build a simple REST API.
I have some basic security requirements, similar to the ones described in the original post here: RESTful Authentication via Spring
The accepted answer above seems like a valid solution but does not translate to Spring Boot due to the lack of XML configuration.
How would I configure my Spring Boot application in the same manner?
You can use the same code as in that post if you want (are you sure that's what you want?) with #Configuration. The HttpSecurity builder has methods addFilter(), addFilterBefore(), addFilterAfter(), so you use those instead of the <custom-filter/> element in XML. Most (if not all) XML elements translate pretty directly into Java config.

Resources