Improve diagnostics in SpEL for large array creation

Attempting to create a large array in a SpEL expression can result in an OutOfMemoryError. Although the JVM recovers from that, the error message is not very helpful to the user. This commit improves the diagnostics in SpEL for large array creation by throwing a SpelEvaluationException with a meaningful error message in order to improve diagnostics for the user. Closes spring-projectsgh-28145
anfit · Oct 18, 2023 · b207f56 · b207f56
1 parent 2bd1daa
commit b207f56
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/spring-expression/src/main/java/org/springframework/expression/spel/SpelMessage.java b/spring-expression/src/main/java/org/springframework/expression/spel/SpelMessage.java
@@ -251,8 +251,13 @@ public enum SpelMessage {
 	MISSING_SELECTION_EXPRESSION(Kind.ERROR, 1071,
 			"A required selection expression has not been specified"),
 
-	EXCEPTION_RUNNING_COMPILED_EXPRESSION(Kind.ERROR,1072,
-			"An exception occurred whilst evaluating a compiled expression");
+	/** @since 4.1 */
+	EXCEPTION_RUNNING_COMPILED_EXPRESSION(Kind.ERROR, 1072,
+			"An exception occurred whilst evaluating a compiled expression"),
+
+	/** @since 5.3.17 */
+	MAX_ARRAY_ELEMENTS_THRESHOLD_EXCEEDED(Kind.ERROR, 1075,
+			"Array declares too many elements, exceeding the threshold of ''{0}''");
 
 
 	private final Kind kind;

diff --git a/...xpression/src/main/java/org/springframework/expression/spel/ast/ConstructorReference.java b/...xpression/src/main/java/org/springframework/expression/spel/ast/ConstructorReference.java
@@ -51,10 +51,18 @@
  *
  * @author Andy Clement
  * @author Juergen Hoeller
+ * @author Sam Brannen
  * @since 3.0
  */
 public class ConstructorReference extends SpelNodeImpl {
 
+	/**
+	 * Maximum number of elements permitted in an array declaration, applying
+	 * to one-dimensional as well as multi-dimensional arrays.
+	 * @since 5.3.17
+	 */
+	private static final int MAX_ARRAY_ELEMENTS = 256 * 1024; // 256K
+
 	private boolean isArrayConstructor = false;
 
 	private SpelNodeImpl[] dimensions;
@@ -256,14 +264,19 @@ private TypedValue createArray(ExpressionState state) throws EvaluationException
 			if (this.dimensions.length == 1) {
 				TypedValue o = this.dimensions[0].getTypedValue(state);
 				int arraySize = ExpressionUtils.toInt(typeConverter, o);
+				checkNumElements(arraySize);
 				newArray = Array.newInstance(componentType, arraySize);
 			}
 			else {
 				// Multi-dimensional - hold onto your hat!
 				int[] dims = new int[this.dimensions.length];
+				long numElements = 1;
 				for (int d = 0; d < this.dimensions.length; d++) {
 					TypedValue o = this.dimensions[d].getTypedValue(state);
-					dims[d] = ExpressionUtils.toInt(typeConverter, o);
+					int arraySize = ExpressionUtils.toInt(typeConverter, o);
+					dims[d] = arraySize;
+					numElements *= arraySize;
+					checkNumElements(numElements);
 				}
 				newArray = Array.newInstance(componentType, dims);
 			}
@@ -323,6 +336,13 @@ else if (arrayTypeCode == TypeCode.BYTE) {
 		return new TypedValue(newArray);
 	}
 
+	private void checkNumElements(long numElements) {
+		if (numElements >= MAX_ARRAY_ELEMENTS) {
+			throw new SpelEvaluationException(getStartPosition(),
+					SpelMessage.MAX_ARRAY_ELEMENTS_THRESHOLD_EXCEEDED, MAX_ARRAY_ELEMENTS);
+		}
+	}
+
 	private void populateReferenceTypeArray(ExpressionState state, Object newArray, TypeConverter typeConverter,
 			InlineList initializer, Class<?> componentType) {