org.springframework.security.web.firewall

Class StrictHttpFirewall

java.lang.Object

org.springframework.security.web.firewall.StrictHttpFirewall

All Implemented Interfaces:

HttpFirewall

public class StrictHttpFirewall
extends java.lang.Object
implements HttpFirewall

A strict implementation of HttpFirewall that rejects any suspicious requests with a RequestRejectedException.

The following rules are applied to the firewall:

• Rejects URLs that are not normalized to avoid bypassing security constraints. There is no way to disable this as it is considered extremely risky to disable this constraint. A few options to allow this behavior is to normalize the request prior to the firewall or using DefaultHttpFirewall instead. Please keep in mind that normalizing the request is fragile and why requests are rejected rather than normalized.
• Rejects URLs that contain characters that are not printable ASCII characters. There is no way to disable this as it is considered extremely risky to disable this constraint.
• Rejects URLs that contain semicolons. See setAllowSemicolon(boolean)
• Rejects URLs that contain a URL encoded slash. See setAllowUrlEncodedSlash(boolean)
• Rejects URLs that contain a backslash. See setAllowBackSlash(boolean)
• Rejects URLs that contain a URL encoded percent. See setAllowUrlEncodedPercent(boolean)

Since:

4.2.4

See Also:

DefaultHttpFirewall

Constructor Summary

Constructors

Constructor and Description
StrictHttpFirewall()

Method Summary

Modifier and Type	Method and Description
FirewalledRequest	getFirewalledRequest(javax.servlet.http.HttpServletRequest request) Provides the request object which will be passed through the filter chain.
javax.servlet.http.HttpServletResponse	getFirewalledResponse(javax.servlet.http.HttpServletResponse response) Provides the response which will be passed through the filter chain.
void	setAllowBackSlash(boolean allowBackSlash) Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not.
void	setAllowSemicolon(boolean allowSemicolon) Determines if semicolon is allowed in the URL (i.e.
void	setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent) Determines if a percent "%" that is URL encoded "%25" should be allowed in the path or not.
void	setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod) Determines if a period "." that is URL encoded "%2E" should be allowed in the path or not.
void	setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash) Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path or not.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

StrictHttpFirewall

public StrictHttpFirewall()

Method Detail

setAllowSemicolon

public void setAllowSemicolon(boolean allowSemicolon)

Determines if semicolon is allowed in the URL (i.e. matrix variables). The default is to disable this behavior because it is a common way of attempting to perform Reflected File Download Attacks. It is also the source of many exploits which bypass URL based security.

For example, the following CVEs are a subset of the issues related to ambiguities in the Servlet Specification on how to treat semicolons that led to CVEs:

• cve-2016-5007
• cve-2016-9879
• cve-2018-1199

If you are wanting to allow semicolons, please reconsider as it is a very common source of security bypasses. A few common reasons users want semicolons and alternatives are listed below:

• Including the JSESSIONID in the path - You should not include session id (or any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.
• Matrix Variables - Users wanting to leverage Matrix Variables should consider using HTTP parameters instead.

Parameters:

allowSemicolon - should semicolons be allowed in the URL. Default is false

setAllowUrlEncodedSlash

public void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash)

Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path or not. The default is to not allow this behavior because it is a common way to bypass URL based security.

For example, due to ambiguities in the servlet specification, the value is not parsed consistently which results in different values in HttpServletRequest path related values which allow bypassing certain security constraints.

Parameters:

allowUrlEncodedSlash - should a slash "/" that is URL encoded "%2F" be allowed in the path or not. Default is false.

setAllowUrlEncodedPeriod

public void setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod)

Determines if a period "." that is URL encoded "%2E" should be allowed in the path or not. The default is to not allow this behavior because it is a frequent source of security exploits.

For example, due to ambiguities in the servlet specification a URL encoded period might lead to bypassing security constraints through a directory traversal attack. This is because the path is not parsed consistently which results in different values in HttpServletRequest path related values which allow bypassing certain security constraints.

Parameters:

allowUrlEncodedPeriod - should a period "." that is URL encoded "%2E" be allowed in the path or not. Default is false.

setAllowBackSlash

public void setAllowBackSlash(boolean allowBackSlash)

Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.

For example, due to ambiguities in the servlet specification a URL encoded period might lead to bypassing security constraints through a directory traversal attack. This is because the path is not parsed consistently which results in different values in HttpServletRequest path related values which allow bypassing certain security constraints.

Parameters:

allowBackSlash - a backslash "\" or a URL encoded backslash "%5C" be allowed in the path or not. Default is false

setAllowUrlEncodedPercent

public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent)

Determines if a percent "%" that is URL encoded "%25" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.

For example, this can lead to exploits that involve double URL encoding that lead to bypassing security constraints.

Parameters:

allowUrlEncodedPercent - if a percent "%" that is URL encoded "%25" should be allowed in the path or not. Default is false

getFirewalledRequest

public FirewalledRequest getFirewalledRequest(javax.servlet.http.HttpServletRequest request)
                                       throws RequestRejectedException

Description copied from interface: HttpFirewall

Provides the request object which will be passed through the filter chain.

Specified by:

getFirewalledRequest in interface HttpFirewall

Throws:

RequestRejectedException - if the request should be rejected immediately

getFirewalledResponse

public javax.servlet.http.HttpServletResponse getFirewalledResponse(javax.servlet.http.HttpServletResponse response)

Description copied from interface: HttpFirewall

Provides the response which will be passed through the filter chain.

Specified by:

getFirewalledResponse in interface HttpFirewall

Parameters:

response - the original response

Returns:

either the original response or a replacement/wrapper.