Affects: Spring Framework 5.2.24+

Background

Since #30325 (implemented in b73f5fc) the length of SpEL expressions is limited by default to 10000. As I understand it this is a mitigation against potential ReDoS exploits. However, in some cases this limitation is too low and prevents upgrading to recent Spring Framework versions.

While #30380 (implemented in aefcb9d) adds support for a custom maximumExpressionLength the feature is only accessible if one instantiates the SpelParserConfiguration class themselves.

In my case I would like to configure the SpelParserConfiguration created in the class StandardBeanExpressionResolver to accept my very long property by raising the maximumExpressionLength to a higher value than its default (10000).

Use case

I've got a huge map in my config:

myproperty={\ a: {\ x: { host: '10.1.1.1', port: 1234 },\ y: { host: '10.1.1.1', port: 1234 },\ z: { host: '10.1.1.1', port: 1234 }\ },\ b: {\ x: { host: '10.1.1.1', port: 1234 },\ y: { host: '10.1.1.1', port: 1234 },\ z: { host: '10.1.1.1', port: 1234 }\ },\ c: {\ x: { host: '10.1.1.1', port: 1234 },\ y: { host: '10.1.1.1', port: 1234 },\ z: { host: '10.1.1.1', port: 1234 }\ },\ # and so on, altogether 15000 characters }

It is used by a property:

@Value("#{${myproperty}}") private Map<String, Map<String,Map<String,String>>> myproperty; 

If I try to start my application I get the following exception:

org.springframework.expression.spel.SpelEvaluationException: EL1079E: SpEL expression is too long, exceeding the threshold of '10,000' characters"}} 

Proposal

Make the parameter maximumExpressionLength of SpelParserConfiguration configurable when it is instantiated in StandardBeanExpressionResolver.java (see the snippet above). Example (not sure what a conformant property name would be):

spring.standardBeanExpressionResolver.maximumExpressionLength=20000