Class StrictServerWebExchangeFirewall
- All Implemented Interfaces:
ServerWebExchangeFirewall
A strict implementation of ServerWebExchangeFirewall
that rejects any
suspicious requests with a ServerExchangeRejectedException
.
The following rules are applied to the firewall:
- Rejects HTTP methods that are not allowed. This specified to block
HTTP Verb
tampering and XST attacks. See
setAllowedHttpMethods(Collection)
- Rejects URLs that are not normalized to avoid bypassing security constraints. There
is no way to disable this as it is considered extremely risky to disable this
constraint. A few options to allow this behavior is to normalize the request prior to
the firewall or using
DefaultHttpFirewall
instead. Please keep in mind that normalizing the request is fragile and why requests are rejected rather than normalized. - Rejects URLs that contain characters that are not printable ASCII characters. There is no way to disable this as it is considered extremely risky to disable this constraint.
- Rejects URLs that contain semicolons. See
setAllowSemicolon(boolean)
- Rejects URLs that contain a URL encoded slash. See
setAllowUrlEncodedSlash(boolean)
- Rejects URLs that contain a backslash. See
setAllowBackSlash(boolean)
- Rejects URLs that contain a null character. See
setAllowNull(boolean)
- Rejects URLs that contain a URL encoded percent. See
setAllowUrlEncodedPercent(boolean)
- Rejects hosts that are not allowed. See
setAllowedHostnames(Predicate)
- Reject headers names that are not allowed. See
setAllowedHeaderNames(Predicate)
- Reject headers values that are not allowed. See
setAllowedHeaderValues(Predicate)
- Reject parameter names that are not allowed. See
setAllowedParameterNames(Predicate)
- Reject parameter values that are not allowed. See
setAllowedParameterValues(Predicate)
- Since:
- 6.4
-
Field Summary
Modifier and TypeFieldDescriptionFields inherited from interface org.springframework.security.web.server.firewall.ServerWebExchangeFirewall
INSECURE_NOOP
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionreactor.core.publisher.Mono<org.springframework.web.server.ServerWebExchange>
getFirewalledExchange
(org.springframework.web.server.ServerWebExchange exchange) Get aServerWebExchange
that has firewall rules applied to it.void
setAllowBackSlash
(boolean allowBackSlash) Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not.void
setAllowedHeaderNames
(Predicate<String> allowedHeaderNames) Determines which header names should be allowed.void
setAllowedHeaderValues
(Predicate<String> allowedHeaderValues) Determines which header values should be allowed.void
setAllowedHostnames
(Predicate<String> allowedHostnames) Determines which hostnames should be allowed.void
setAllowedHttpMethods
(Collection<org.springframework.http.HttpMethod> allowedHttpMethods) Determines which HTTP methods should be allowed.void
setAllowedParameterNames
(Predicate<String> allowedParameterNames) Determines which parameter names should be allowed.void
setAllowedParameterValues
(Predicate<String> allowedParameterValues) Determines which parameter values should be allowed.void
setAllowNull
(boolean allowNull) Determines if a null "\0" or a URL encoded nul "%00" should be allowed in the path or not.void
setAllowSemicolon
(boolean allowSemicolon) Determines if semicolon is allowed in the URL (i.e.void
setAllowUrlEncodedCarriageReturn
(boolean allowUrlEncodedCarriageReturn) Determines if a URL encoded Carriage Return is allowed in the path or not.void
setAllowUrlEncodedDoubleSlash
(boolean allowUrlEncodedDoubleSlash) Determines if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not.void
setAllowUrlEncodedLineFeed
(boolean allowUrlEncodedLineFeed) Determines if a URL encoded Line Feed is allowed in the path or not.void
setAllowUrlEncodedLineSeparator
(boolean allowUrlEncodedLineSeparator) Determines if a URL encoded line separator is allowed in the path or not.void
setAllowUrlEncodedParagraphSeparator
(boolean allowUrlEncodedParagraphSeparator) Determines if a URL encoded paragraph separator is allowed in the path or not.void
setAllowUrlEncodedPercent
(boolean allowUrlEncodedPercent) Determines if a percent "%" that is URL encoded "%25" should be allowed in the path or not.void
setAllowUrlEncodedPeriod
(boolean allowUrlEncodedPeriod) Determines if a period "." that is URL encoded "%2E" should be allowed in the path or not.void
setAllowUrlEncodedSlash
(boolean allowUrlEncodedSlash) Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path or not.void
setUnsafeAllowAnyHttpMethod
(boolean unsafeAllowAnyHttpMethod) Sets if any HTTP method is allowed.
-
Field Details
-
ALLOWED_HEADER_NAMES
-
ALLOWED_HEADER_VALUES
-
ALLOWED_PARAMETER_NAMES
-
ALLOWED_PARAMETER_VALUES
-
-
Constructor Details
-
StrictServerWebExchangeFirewall
public StrictServerWebExchangeFirewall()
-
-
Method Details
-
getEncodedUrlBlocklist
-
getDecodedUrlBlocklist
-
getFirewalledExchange
public reactor.core.publisher.Mono<org.springframework.web.server.ServerWebExchange> getFirewalledExchange(org.springframework.web.server.ServerWebExchange exchange) Description copied from interface:ServerWebExchangeFirewall
Get aServerWebExchange
that has firewall rules applied to it.- Specified by:
getFirewalledExchange
in interfaceServerWebExchangeFirewall
- Parameters:
exchange
- theServerWebExchange
to apply firewall rules to.- Returns:
- the
ServerWebExchange
that has firewall rules applied to it.
-
setUnsafeAllowAnyHttpMethod
public void setUnsafeAllowAnyHttpMethod(boolean unsafeAllowAnyHttpMethod) Sets if any HTTP method is allowed. If this set to true, then no validation on the HTTP method will be performed. This can open the application up to HTTP Verb tampering and XST attacks- Parameters:
unsafeAllowAnyHttpMethod
- if true, disables HTTP method validation, else resets back to the defaults. Default is false.- Since:
- 5.1
- See Also:
-
setAllowedHttpMethods
public void setAllowedHttpMethods(Collection<org.springframework.http.HttpMethod> allowedHttpMethods) Determines which HTTP methods should be allowed. The default is to allow "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", and "PUT".
- Parameters:
allowedHttpMethods
- the case-sensitive collection of HTTP methods that are allowed.- Since:
- 5.1
- See Also:
-
setAllowSemicolon
public void setAllowSemicolon(boolean allowSemicolon) Determines if semicolon is allowed in the URL (i.e. matrix variables). The default is to disable this behavior because it is a common way of attempting to perform Reflected File Download Attacks. It is also the source of many exploits which bypass URL based security.
For example, the following CVEs are a subset of the issues related to ambiguities in the Servlet Specification on how to treat semicolons that led to CVEs:
If you are wanting to allow semicolons, please reconsider as it is a very common source of security bypasses. A few common reasons users want semicolons and alternatives are listed below:
- Including the JSESSIONID in the path - You should not include session id (or any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.
- Matrix Variables - Users wanting to leverage Matrix Variables should consider using HTTP parameters instead.
- Parameters:
allowSemicolon
- should semicolons be allowed in the URL. Default is false
-
setAllowUrlEncodedSlash
public void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash) Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path or not. The default is to not allow this behavior because it is a common way to bypass URL based security.
For example, due to ambiguities in the servlet specification, the value is not parsed consistently which results in different values in
HttpServletRequest
path related values which allow bypassing certain security constraints.- Parameters:
allowUrlEncodedSlash
- should a slash "/" that is URL encoded "%2F" be allowed in the path or not. Default is false.
-
setAllowUrlEncodedDoubleSlash
public void setAllowUrlEncodedDoubleSlash(boolean allowUrlEncodedDoubleSlash) Determines if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not. The default is to not allow.
- Parameters:
allowUrlEncodedDoubleSlash
- should a slash "//" that is URL encoded "%2F%2F" be allowed in the path or not. Default is false.
-
setAllowUrlEncodedPeriod
public void setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod) Determines if a period "." that is URL encoded "%2E" should be allowed in the path or not. The default is to not allow this behavior because it is a frequent source of security exploits.
For example, due to ambiguities in the servlet specification a URL encoded period might lead to bypassing security constraints through a directory traversal attack. This is because the path is not parsed consistently which results in different values in
HttpServletRequest
path related values which allow bypassing certain security constraints.- Parameters:
allowUrlEncodedPeriod
- should a period "." that is URL encoded "%2E" be allowed in the path or not. Default is false.
-
setAllowBackSlash
public void setAllowBackSlash(boolean allowBackSlash) Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
For example, due to ambiguities in the servlet specification a URL encoded period might lead to bypassing security constraints through a directory traversal attack. This is because the path is not parsed consistently which results in different values in
HttpServletRequest
path related values which allow bypassing certain security constraints.- Parameters:
allowBackSlash
- a backslash "\" or a URL encoded backslash "%5C" be allowed in the path or not. Default is false
-
setAllowNull
public void setAllowNull(boolean allowNull) Determines if a null "\0" or a URL encoded nul "%00" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
- Parameters:
allowNull
- a null "\0" or a URL encoded null "%00" be allowed in the path or not. Default is false- Since:
- 5.4
-
setAllowUrlEncodedPercent
public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent) Determines if a percent "%" that is URL encoded "%25" should be allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.
For example, this can lead to exploits that involve double URL encoding that lead to bypassing security constraints.
- Parameters:
allowUrlEncodedPercent
- if a percent "%" that is URL encoded "%25" should be allowed in the path or not. Default is false
-
setAllowUrlEncodedCarriageReturn
public void setAllowUrlEncodedCarriageReturn(boolean allowUrlEncodedCarriageReturn) Determines if a URL encoded Carriage Return is allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.- Parameters:
allowUrlEncodedCarriageReturn
- if URL encoded Carriage Return is allowed in the URL or not. Default is false.
-
setAllowUrlEncodedLineFeed
public void setAllowUrlEncodedLineFeed(boolean allowUrlEncodedLineFeed) Determines if a URL encoded Line Feed is allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.- Parameters:
allowUrlEncodedLineFeed
- if URL encoded Line Feed is allowed in the URL or not. Default is false.
-
setAllowUrlEncodedParagraphSeparator
public void setAllowUrlEncodedParagraphSeparator(boolean allowUrlEncodedParagraphSeparator) Determines if a URL encoded paragraph separator is allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.- Parameters:
allowUrlEncodedParagraphSeparator
- if URL encoded paragraph separator is allowed in the URL or not. Default is false.
-
setAllowUrlEncodedLineSeparator
public void setAllowUrlEncodedLineSeparator(boolean allowUrlEncodedLineSeparator) Determines if a URL encoded line separator is allowed in the path or not. The default is not to allow this behavior because it is a frequent source of security exploits.- Parameters:
allowUrlEncodedLineSeparator
- if URL encoded line separator is allowed in the URL or not. Default is false.
-
setAllowedHeaderNames
Determines which header names should be allowed. The default is to reject header names that contain ISO control characters and characters that are not defined.
- Parameters:
allowedHeaderNames
- the predicate for testing header names- Since:
- 5.4
- See Also:
-
setAllowedHeaderValues
Determines which header values should be allowed. The default is to reject header values that contain ISO control characters and characters that are not defined.
- Parameters:
allowedHeaderValues
- the predicate for testing hostnames- Since:
- 5.4
- See Also:
-
setAllowedParameterNames
Determines which parameter names should be allowed. The default is to reject header names that contain ISO control characters and characters that are not defined.- Parameters:
allowedParameterNames
- the predicate for testing parameter names- Since:
- 5.4
- See Also:
-
setAllowedParameterValues
Determines which parameter values should be allowed. The default is to allow any parameter value.
- Parameters:
allowedParameterValues
- the predicate for testing parameter values- Since:
- 5.4
-
setAllowedHostnames
Determines which hostnames should be allowed. The default is to allow any hostname.
- Parameters:
allowedHostnames
- the predicate for testing hostnames- Since:
- 5.2
-