Spring MVC application filtering HTML in URL - Is this a security issue?

Asked 13/3, 2012 at 16:30 Answered 19/1, 2022 at 6:56

Solved java spring security http spring-mvc

My existing Spring Web MVC application has the following handler mapping in the Controller.

    @RequestMapping(method = RequestMethod.GET, value = "/welcome")

I trigger the following requesthttp://www.example.com/welcomeand this works fine.

The problem is

http://www.example.com/welcome.check.blah

also works!!!

Also, a HTTP GET request URL to the application with script tag is getting redisplayed though it fails the authorization.

Example http://www.example.com/welcome<script>alert("hi")</script> gets redisplayed as such in the browser window and as a result of my authorization logic "Not authorized" message is displayed.

I wonder if this is a security issue and should I need do any encoding/filtering in the code?

Injector answered 13/3, 2012 at 16:30 Comment(0)

This behavior is due to the option useSuffixPatternMatch which is true by default inside the RequestMappingHandlerMapping (I assume you use Spring MVC 3.1).

useSuffixPatternMatch : Whether to use suffix pattern match (".*") when matching patterns to requests. If enabled a method mapped to "/users" also matches to "/users.*". The default value is "true".

To set useSuffixPatternMatch to false, the easiest way is to use @Configuration :

@Configuration
@EnableWebMvc
public class Api extends WebMvcConfigurationSupport {

    @Override
    public RequestMappingHandlerMapping requestMappingHandlerMapping() {
        RequestMappingHandlerMapping mapping = super.requestMappingHandlerMapping();
        mapping.setUseSuffixPatternMatch(false);
        return mapping;
    }

}

Donica answered 13/3, 2012 at 17:8 Comment(2)

Thanks for pointing out about the usesuffixPatternMatch. Will try that. Do you have any inputs regarding the other point - Is this a security issue? Can we prevent browser from redisplaying the URL as entered? – Injector 13/3, 2012 at 17:42

I tested it and yes the URL is redisplayed but the <script> tag isn't interpreted so I don't see any security issue here. – Donica 13/3, 2012 at 18:17

In current Spring Java config, there is a slightly easier way to configure the same thing:

@Configuration
public class DispatcherConfig extends WebMvcConfigurationSupport {

    @Override
    protected void configurePathMatch(PathMatchConfigurer configurer) {
        configurer.setUseSuffixPatternMatch(false);
    }

}

Heinz answered 31/8, 2017 at 8:44 Comment(0)

When you use Spring to request a mapping of that type (i.e. "/anything") Spring actually maps your controller to several URLs:

/welcome
/welcome.*
/welcome/

To prevent this - either be more specific when you RequestMapping (i.e. /welcome.htm ), or manually map the URL to controller in your Xml config:

<bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
        <property name="mappings">
            <props>
                <prop key="/welcome">YourControllerBean</prop>
            </props>
        </property>
</bean>

Cheers, Pete

Puzzlement answered 13/3, 2012 at 16:52 Comment(1)

Thanks for the response. But am already using annotation based request handler mapping and I cannot use ".htm" suffix :( – Injector 13/3, 2012 at 17:57

You can also restrict this in the web.xml by mentioning the url pattern. Instead of giving "/", you can mention "/.htm" in your web.xml.

Something like

<servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/application/*.htm</url-pattern>
    </servlet-mapping>

Simulacrum answered 13/3, 2012 at 17:37 Comment(2)

Unfortunately, I cannot do that. The incoming request comes in the format of "/welcome?key=value" and not "/welcome.html". This has been done to mask the underlying technology. – Injector 13/3, 2012 at 17:40

Ohh ok..acceptable...but to me it doesn't reveal any underlying technology rather it specifies the url pattern though... – Simulacrum 13/3, 2012 at 17:43

You can use the useDefaultSuffixPattern property.

<bean class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
    <property name="useDefaultSuffixPattern" value="false" />
</bean>

Also refer URL Pattern Restricting in SPRING MVC

Rsfsr answered 4/6, 2012 at 18:16 Comment(0)

Starting from Spring framework 5.3 useDefaultSuffixPattern is deprecated and turned off by default. Spring upgrade notes, section "Use of Path Extensions Deprecated in Spring MVC"

Ascospore answered 19/1, 2022 at 6:56 Comment(0)

Recommended topics

Hot tags