root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 12 Packages Projects Releases Wiki Activity

Trace filter ignores invalid requests 

Fixes gh-12987
This commit is contained in:
Madhura Bhave 2018-06-06 11:43:20 -07:00
parent 59746de63b
commit ed734d7e43
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/web/trace/servlet/HttpTraceFilter.java
View File

@ -17,6 +17,8 @@
package org.springframework.boot.actuate.web.trace.servlet; package org.springframework.boot.actuate.web.trace.servlet;
import java.io.IOException; import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import javax.servlet.Filter; import javax.servlet.Filter;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
@ -76,6 +78,10 @@ public class HttpTraceFilter extends OncePerRequestFilter implements Ordered {
protected void doFilterInternal(HttpServletRequest request, protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain) HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException { throws ServletException, IOException {
if (!isRequestValid(request)) {
filterChain.doFilter(request, response);
return;
}
TraceableHttpServletRequest traceableRequest = new TraceableHttpServletRequest( TraceableHttpServletRequest traceableRequest = new TraceableHttpServletRequest(
request); request);
HttpTrace trace = this.tracer.receivedRequest(traceableRequest); HttpTrace trace = this.tracer.receivedRequest(traceableRequest);
@ -95,6 +101,16 @@ public class HttpTraceFilter extends OncePerRequestFilter implements Ordered {
} }
} }
private boolean isRequestValid(HttpServletRequest request) {
try {
new URI(request.getRequestURL().toString());
return true;
}
catch (URISyntaxException ex) {
return false;
}
}
private String getSessionId(HttpServletRequest request) { private String getSessionId(HttpServletRequest request) {
HttpSession session = request.getSession(false); HttpSession session = request.getSession(false);
return (session != null ? session.getId() : null); return (session != null ? session.getId() : null);

9
spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/http/servlet/HttpTraceFilterTests.java
View File

@ -127,4 +127,13 @@ public class HttpTraceFilterTests {
} }
} }
@Test
public void filterRejectsInvalidRequests() throws ServletException, IOException {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setServerName("<script>alert(document.domain)</script>");
this.filter.doFilter(request, new MockHttpServletResponse(),
new MockFilterChain());
assertThat(this.repository.findAll()).hasSize(0);
}
} }