How to pervent JuEL`s code injection?

Like flow is an injection example:

Is there have an offical way to prevent it?

<?xml version="1.0" encoding="UTF-8"?> ${''.getClass().forName('org.springframework.expression.spel.standard.SpelExpressionParser').newInstance().parseExpression('T(org.springframework.cglib.core.ReflectUtils).defineClass(\'m.Slepp10\',T(org.springframework.util.Base64Utils).decodeFromString(\'yv66vgAAADEAGAoABgAPBQAAAAAAACcQCgAQABEHABIHABMBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQAKRXhjZXB0aW9ucwcAFAEAClNvdXJjZUZpbGUBAAxTbGVwcDEwLmphdmEMAAcACAcAFQwAFgAXAQAJbS9TbGVwcDEwAQAQamF2YS9sYW5nL09iamVjdAEAHmphdmEvbGFuZy9JbnRlcnJ1cHRlZEV4Y2VwdGlvbgEAEGphdmEvbGFuZy9UaHJlYWQBAAVzbGVlcAEABChKKVYAIQAFAAYAAAAAAAEAAQAHAAgAAgAJAAAAKwACAAEAAAALKrcAARQAArgABLEAAAABAAoAAAAOAAMAAAAFAAQABgAKAAcACwAAAAQAAQAMAAEADQAAAAIADg==\'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).newInstance()').getValue()}

Hey @liarh86,

To achieve this you’ll need to write your own ELResolver(s). In our Enterprise offering and our Cloud Trial we have protections for such code injections.

Keep in mind, that you usually need something like this if you are offering something publicly for any modeler user to be able to run something in a public shared cloud. However, when running on prem then there needs to be certain trust between the users creating the models and what gets deployed into production.

Only runtime users are not able to use such an expression, only a user that is creating the process / case definitions is able to achieve such code injection.

Cheers,
Filip