From 09b5222f5220a30a7ba56cc12b13d32426bf927f Mon Sep 17 00:00:00 2001 From: Phillip Webb Date: Wed, 11 Nov 2015 20:15:28 -0800 Subject: [PATCH] Disable suffix pattern matching for Endpoints Update EndpointHandlerMapping so that setUseSuffixPatternMatch is set to false. This prevents URLs of the form /beans.json from returning results and provides another line of defense against RDF attacks. Fixes gh-4402 --- .../boot/actuate/endpoint/mvc/EndpointHandlerMapping.java | 1 + 1 file changed, 1 insertion(+) diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java index d6e603cd05c..85cf62b96e6 100644 --- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java +++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java @@ -80,6 +80,7 @@ public class EndpointHandlerMapping extends RequestMappingHandlerMapping { CorsConfiguration corsConfiguration) { this.endpoints = new HashSet(endpoints); this.corsConfiguration = corsConfiguration; + setUseSuffixPatternMatch(false); // By default the static resource handler mapping is LOWEST_PRECEDENCE - 1 // and the RequestMappingHandlerMapping is 0 (we ideally want to be before both) setOrder(-100);