Reputation: 14717
How to configure Spring MVC to prevent "Path-Based Vulnerability"
I have a Spring MVC (5.0.8.RELEASE) application and a recent security scan indicates that it has "Path-Based Vulnerability". Here is the controller:
@RequestMapping(value = "/faq", method = RequestMethod.GET)
public String faq(HttpServletRequest request) {
return "faq";
}
For the above controller, here is the valid url for my FAQ page:
However, based on the security scan and what I tested, the following url works too:
http://example.com/faq.anything
How can I configure Spring MVC to make http://example.com/faq to the only valid URL? (suppose that I don't use @PathVariable)
Upvotes: 2
Views: 1266
Answers (1)
Reputation: 2061
Because spring support suffix ".*" default. /person is also mapped to /person.* /person.xml or /person.pdf or /person.any is also mapped. - To completely disable the use of file extensions, you must set both of these:
.useSuffixPatternMatching(false)
.favorPathExtension(false)
Upvotes: 2
Related Questions
- Spring Boot Optional Path Variables
- How to ignore base path url in Spring MVC?
- Spring Boot mvc path match strategy
- How can I make spring MVC PathVariable more robust?
- Spring Boot Security wont ignore certain paths that dont need to be secured
- How can I secure Spring controller to not accept wrong type of path variables passes in URL?
- How to configure different paths with Spring Security?
- How to disable spring security for certain resource paths
- Spring Security with path variable parameters
- spring generating wrong path to forward