Endor Labs notes in their report that Thymeleaf has defense-in-depth layers to block dangerous expressions and in this case two of them failed. For example, a string check scanned the expression text for dangerous patterns, such as the new keyword followed by an ASCII space, T (Spring Expression Language type references) and @ (SpEL bean references in some code paths). However, the check only looked for ASCII space 0x20 characters, but the SpELโs parser also accepts tab (0x09), newline (0x0A), and other control characters between new and the class name.
Another policy blocked classes that start with java.* from being used inside T()ย type references, but did not block types from org.springframework.*, ognl.*, or javax.*.
โSince typical Spring applications have spring-core on the classpath, classes like org.springframework.core.io.FileSystemResource were freely constructable, and that class can create arbitrary files on disk,โ the researchers said.