public class StrictHttpFirewall extends java.lang.Object implements HttpFirewall
A strict implementation of HttpFirewall
that rejects any suspicious requests
with a RequestRejectedException
.
The following rules are applied to the firewall:
setAllowedHttpMethods(Collection)
DefaultHttpFirewall
instead. Please keep in mind that normalizing the
request is fragile and why requests are rejected rather than normalized.
setAllowSemicolon(boolean)
setAllowUrlEncodedSlash(boolean)
setAllowBackSlash(boolean)
setAllowUrlEncodedPercent(boolean)
setAllowedHostnames(Predicate)
DefaultHttpFirewall
Constructor and Description |
---|
StrictHttpFirewall() |
Modifier and Type | Method and Description |
---|---|
FirewalledRequest |
getFirewalledRequest(javax.servlet.http.HttpServletRequest request)
Provides the request object which will be passed through the filter chain.
|
javax.servlet.http.HttpServletResponse |
getFirewalledResponse(javax.servlet.http.HttpServletResponse response)
Provides the response which will be passed through the filter chain.
|
void |
setAllowBackSlash(boolean allowBackSlash)
Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in
the path or not.
|
void |
setAllowedHostnames(java.util.function.Predicate<java.lang.String> allowedHostnames)
Determines which hostnames should be allowed.
|
void |
setAllowedHttpMethods(java.util.Collection<java.lang.String> allowedHttpMethods)
Determines which HTTP methods should be allowed.
|
void |
setAllowSemicolon(boolean allowSemicolon)
Determines if semicolon is allowed in the URL (i.e.
|
void |
setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent)
Determines if a percent "%" that is URL encoded "%25" should be allowed in the path
or not.
|
void |
setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod)
Determines if a period "." that is URL encoded "%2E" should be allowed in the path
or not.
|
void |
setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash)
Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path
or not.
|
void |
setUnsafeAllowAnyHttpMethod(boolean unsafeAllowAnyHttpMethod)
Sets if any HTTP method is allowed.
|
public void setUnsafeAllowAnyHttpMethod(boolean unsafeAllowAnyHttpMethod)
unsafeAllowAnyHttpMethod
- if true, disables HTTP method validation, else resets back to the defaults. Default is false.setAllowedHttpMethods(Collection)
public void setAllowedHttpMethods(java.util.Collection<java.lang.String> allowedHttpMethods)
Determines which HTTP methods should be allowed. The default is to allow "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", and "PUT".
allowedHttpMethods
- the case-sensitive collection of HTTP methods that are allowed.setUnsafeAllowAnyHttpMethod(boolean)
public void setAllowSemicolon(boolean allowSemicolon)
Determines if semicolon is allowed in the URL (i.e. matrix variables). The default is to disable this behavior because it is a common way of attempting to perform Reflected File Download Attacks. It is also the source of many exploits which bypass URL based security.
For example, the following CVEs are a subset of the issues related to ambiguities in the Servlet Specification on how to treat semicolons that led to CVEs:
If you are wanting to allow semicolons, please reconsider as it is a very common source of security bypasses. A few common reasons users want semicolons and alternatives are listed below:
allowSemicolon
- should semicolons be allowed in the URL. Default is falsepublic void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash)
Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path or not. The default is to not allow this behavior because it is a common way to bypass URL based security.
For example, due to ambiguities in the servlet specification, the value is not
parsed consistently which results in different values in HttpServletRequest
path related values which allow bypassing certain security constraints.
allowUrlEncodedSlash
- should a slash "/" that is URL encoded "%2F" be allowed
in the path or not. Default is false.public void setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod)
Determines if a period "." that is URL encoded "%2E" should be allowed in the path or not. The default is to not allow this behavior because it is a frequent source of security exploits.
For example, due to ambiguities in the servlet specification a URL encoded period
might lead to bypassing security constraints through a directory traversal attack.
This is because the path is not parsed consistently which results in different
values in HttpServletRequest
path related values which allow bypassing
certain security constraints.
allowUrlEncodedPeriod
- should a period "." that is URL encoded "%2E" be
allowed in the path or not. Default is false.public void setAllowBackSlash(boolean allowBackSlash)
Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
For example, due to ambiguities in the servlet specification a URL encoded period
might lead to bypassing security constraints through a directory traversal attack.
This is because the path is not parsed consistently which results in different
values in HttpServletRequest
path related values which allow bypassing
certain security constraints.
allowBackSlash
- a backslash "\" or a URL encoded backslash "%5C" be allowed
in the path or not. Default is falsepublic void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent)
Determines if a percent "%" that is URL encoded "%25" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
For example, this can lead to exploits that involve double URL encoding that lead to bypassing security constraints.
allowUrlEncodedPercent
- if a percent "%" that is URL encoded "%25" should be
allowed in the path or not. Default is falsepublic void setAllowedHostnames(java.util.function.Predicate<java.lang.String> allowedHostnames)
Determines which hostnames should be allowed. The default is to allow any hostname.
allowedHostnames
- the predicate for testing hostnamespublic FirewalledRequest getFirewalledRequest(javax.servlet.http.HttpServletRequest request) throws RequestRejectedException
HttpFirewall
getFirewalledRequest
in interface HttpFirewall
RequestRejectedException
- if the request should be rejected immediatelypublic javax.servlet.http.HttpServletResponse getFirewalledResponse(javax.servlet.http.HttpServletResponse response)
HttpFirewall
getFirewalledResponse
in interface HttpFirewall
response
- the original response