Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RequestRejectedHandler does not reliable prevent Internal Server Error #11645

Closed
osiegmar opened this issue Jul 29, 2022 · 4 comments
Closed

RequestRejectedHandler does not reliable prevent Internal Server Error #11645

osiegmar opened this issue Jul 29, 2022 · 4 comments
Assignees
@marcusdacoregio
Labels
in: web An issue in web modules (web, webmvc) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.8.0-M2

Comments

@osiegmar
Copy link

Describe the bug
The RequestRejectedHandler was added to provide a configurable way of handling RequestRejectedException thrown by HttpFirewall. When using a HttpStatusRequestRejectedHandler the exception is handled by returning a HTTP status code (400 by default) to the client. Unfortunately this is not reliably the case and I consider this as a bug.

To Reproduce

  • Use StrictHttpFirewall with HttpStatusRequestRejectedHandler
  • Send a request with a HTTP header X-Test with a value containing \u0099

Then two things can happen:

  1. Internal Server Error
  • Implement an endpoint that reads the header X-Test
  • A HTTP status code 500 is returned (org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the header value "Test Â�" is not allowed.)

or

  1. Success
  • Implement an endpoint that does not read headers
  • A HTTP status code 200 is returned

Expected behavior

  • Consistent behavior in both cases
  • The configured status code of HttpStatusRequestRejectedHandler (400 by default).

Sample

https://github.com/osiegmar/spring-firewall-bug

Additional notes

  • The character value \u0099 is considered invalid by StrictHttpFirewall (via regex pattern [\p{IsAssigned}&&[^\p{IsControl}]]*) but it seems to be valid according section 3.2 of RFC 7230 (field-vchar = VCHAR / obs-text ; VCHAR = %x21-7E ; obs-text = %x80-FF)
  • I assume that there are more cases when this can happen (e.g. invalid parameter names)
@osiegmar osiegmar added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jul 29, 2022
@marcusdacoregio marcusdacoregio added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 29, 2022
@osiegmar
Copy link
Author

osiegmar commented Aug 3, 2022

Related PR: #8644

@rwinch rwinch assigned jzheaux and unassigned rwinch Aug 3, 2022
@marcusdacoregio marcusdacoregio added this to the 5.8.0-M2 milestone Aug 8, 2022
@rwinch
Copy link
Member

rwinch commented Aug 8, 2022

@osiegmar Thank you for the report. Could you please create another ticket in regards to your concerns around the additional notes you provide. This will allow us to split up the work into discrete units and provide fixes faster

@marcusdacoregio marcusdacoregio mentioned this issue Aug 8, 2022
Merged
marcusdacoregio added a commit to marcusdacoregio/spring-security that referenced this issue Aug 8, 2022
@marcusdacoregio
Consistently handle RequestRejectedException if it is wrapped
5cbe771 
Closes spring-projectsgh-11645
@osiegmar
Copy link
Author

osiegmar commented Aug 9, 2022

Thanks a lot!

I can confirm that PR #11670 solves this issue by ensuring HttpStatusRequestRejectedHandler can do its work even if the RequestRejectedException is wrapped (e.g. by a ServletException). A status code of 400 is returned instead of 500.

I understand that my other expectation (consistent behaviour for read and unread HTTP headers) is not the currently intended behaviour. I’l probably create a new enhancement issue for that.

@osiegmar osiegmar closed this as completed Aug 9, 2022
marcusdacoregio added a commit that referenced this issue Aug 9, 2022
@marcusdacoregio
Consistently handle RequestRejectedException if it is wrapped
1c4d6ed 
Closes gh-11645
marcusdacoregio added a commit that referenced this issue Aug 9, 2022
@marcusdacoregio
Consistently handle RequestRejectedException if it is wrapped
24bb83e 
Closes gh-11645
marcusdacoregio added a commit that referenced this issue Aug 9, 2022
@marcusdacoregio
Consistently handle RequestRejectedException if it is wrapped
6a2ca52 
Closes gh-11645
@github-actions github-actions bot added the status: backported An issue that has been backported to maintenance branches label Aug 9, 2022
@github-actions github-actions bot mentioned this issue Aug 9, 2022
Closed
marcusdacoregio added a commit that referenced this issue Aug 9, 2022
@marcusdacoregio
Consistently handle RequestRejectedException if it is wrapped
ead587c 
Closes gh-11645
@github-actions github-actions bot mentioned this issue Aug 9, 2022
Closed
@rwinch
Copy link
Member

rwinch commented Aug 10, 2022

I understand that my other expectation (consistent behaviour for read and unread HTTP headers) is not the currently intended behaviour. I’l probably create a new enhancement issue for that.

If you still have concerns around what is being rejected, I'd create a ticket for that as well

@github-actions github-actions bot mentioned this issue Aug 23, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.8.0-M2
Development

No branches or pull requests
4 participants
@rwinch @osiegmar @jzheaux @marcusdacoregio