thymeleaf: Release 3.0.12 has broken most of our templates due to #809

Due to changes in https://github.com/thymeleaf/thymeleaf/issues/809 we have a lot of templates that are now broken.

For a lot of our templates we use static members in our Spring controllers for the request names. Hrefs within our templates look like the following:

<a th:href="@{${T(com.test.controller.DashboardController).REQUEST_DASHBOARD}}">

This now results in the following exception:

org.thymeleaf.exceptions.TemplateProcessingException: Instantiation of new objects and access to static classes is forbidden in this context

This pattern is used in 100’s of templates in our code base. We obviously don’t want to completely disable the restricted expression evaluation mode, but is there a way to turn off the restriction of just the static class access?

Thanks, Scott

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 36
Comments: 20 (1 by maintainers)

Commits related to this issue

upgrade dependencies - Spring Boot 2.4.0 -> 2.4.2 - Lombok 1.18.16 -> 1.18.18 - JUnit 5.7.0 -> 4.7.1 - JUnit 4.13.1 -> 4.13.2 - Mockito 3.6.28 -> 3.7.7 - Spring Security: 5.4.2 -> 5.4.4 - Hibernate: ... — committed to Martin-BG/Marketplace by Martin-BG 3 years ago
downgraded thymeleaf due to this issue: https://github.com/thymeleaf/thymeleaf/issues/816 — committed to labsai/EDDI by ginccc 3 years ago
:new: bumped dependencies; :bug: rolled back thymeleaf to version 3.0.11.RELEASE (https://github.com/thymeleaf/thymeleaf/issues/816)) — committed to optionfactory/optionfactory-spring by rferranti 3 years ago
update project to Thymeleaf 3.0.12 https://github.com/thymeleaf/thymeleaf/issues/816 https://github.com/thymeleaf/thymeleaf/issues/809 — committed to Martin-BG/Marketplace by Martin-BG 3 years ago

Most upvoted comments

+1 Many of my templates are broken due to this “minor”?? update. It looks like a breaking change to me and should not have been embedded within a minor version update…

+23

sunriize on Mar 2, 2021

@danielfernandez can you comment on this issue? Seems to be a major problem for many people

+11

scoldwell on Mar 8, 2021

I absolutely understand the rationale behind the changes, and we’re more than happy to adjust our code to access enums in a safer way, but I have to confess “Go add a getter to a model object for every enum you might ever want to use in a template” is not the answer for which I was hoping.

It would be nice if thymeleaf could provide a recommended way of managing enum visibility - possibly even passing in a list of enums to make available in some form to the templates.

+10

abs0 on Apr 26, 2021

I really wonder why there is no mention of the alternatives. I ended up using with th:with like below

th:with="rptBy=${T(com.test.enum.ReportBy).BY_G1}"
th:data-groupby="${rptBy}"

venustulips on Mar 6, 2021

As the intent of the restricted expression evaluation mode is to:

reduce the risks of code injection as much as possible. Thymeleaf does this by preventing the use of direct input from users in certain parts of the template. This direct input from users refers to request parameters, as these might not have passed a validation process at the controller. (source)

IMHO restricting access to constants and enums doesn’t make sense to achieve this goal, as they cannot be manipulated by user input.

@danielfernandez as you are responsible for #809 I would like to know what the suggested replacement for accessing constants is?

Would it be possible for Thymeleaf to determine that expressions reference constants and allow those?.

leonard84 on Feb 8, 2021

Here too. Most of our template broke with 3.0.12, which is part of spring-boot-starter-thymeleaf-2.4.2. Thus atm we have to downgrade thymeleaf explicit…

membersound on Feb 9, 2021

A version bump would have been nice.

jochenchrist on Apr 26, 2021

I really wonder why there is no mention of the alternatives. I ended up using with th:with like below
th:with="rptBy=${T(com.test.enum.ReportBy).BY_G1}"
th:data-groupby="${rptBy}"

I can encourage you using this quickfix for your broken definitions. I only had to use a bunch of it, and can now work again with the most recent version again.

membersound on Jun 22, 2021

This is my solution, it worked, no need to modify template.

    @Bean
    public TemplateDialect templateDialect() {
        return new TemplateDialect();
    }

class TemplateDialect extends AbstractDialect implements IExpressionObjectDialect {

    public TemplateDialect() {
        super(TemplateDialect.class.getName());
    }

    @Override
    public IExpressionObjectFactory getExpressionObjectFactory() {
        return new IExpressionObjectFactory() {

            @Override
            public Set<String> getAllExpressionObjectNames() {
                Set<String> set = new LinkedHashSet<>();
                set.add("request");
                set.add("response");
                set.add("session");
                set.add("servletContext");
                return set;
            }

            @Override
            public Object buildObject(IExpressionContext context, String expressionObjectName) {
                if ("request".equals(expressionObjectName)) {
                    return ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
                }
                if ("response".equals(expressionObjectName)) {
                    return ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getResponse();
                }
                if ("session".equals(expressionObjectName)) {
                    return ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest().getSession(false);
                }
                if ("servletContext".equals(expressionObjectName)) {
                    return ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest().getServletContext();
                }
                throw new UnsupportedOperationException("unsupported expression");
            }

            @Override
            public boolean isCacheable(String expressionObjectName) {
                return true;
            }
        };
    }
}

rickgong on Nov 26, 2023

I complete understand the idea of preventing execution of arbitrary code, but in most of the cases myself and others have raised, we’re talking about constants/enums. Could code be added to the detection routine to determine if the target of the T() expression is a constant and allow that?

scoldwell on Apr 27, 2021

I had the same issue on my spring boot project(2.4.4), maybe 30+ templates affected, so spend few hours refactoring them into model attributes.

Could you maybe give examples on which expressions have to be formatted in a new way? That would probably help the majority of us to get rid of the old syntax more easily.

membersound on Mar 26, 2021