SparkJava - failed to validate http methods for Static files

[Prashantha-AV]

HI,

Need help on static files

Issue : When the application startup, the static file can be accessed with any(GET,POST, XXX) http method Application fails in Vulnerability scan as below identified: - Verb tampering, Only allow required http methods e.g. get, post.

Spark Java version : spark-core:2.7.2 Server: Jetty(9.4.14.v20181114)

is it possible to add filter or some other alternative to stop accessing the static information from CURL or POSTMAN ?

Sample reproducer

import static spark.Spark.halt;
import spark.Service;
public class ServerExample {

    public ServerExample() {
        Service service = Service.ignite().port(4568);
        service.staticFiles.externalLocation("C:\\dev");  //file attached for dev folder

        service.before((req, res) -> {
            System.out.println("Hello:" + req.headers());
        });

        service.get("/", (req, res) -> {
            if (!req.requestMethod().equalsIgnoreCase("GET")) {
                halt(401, "invalid Http method");
            }
            return null;
        });
    }
    public static void main(String[] args) {
        new ServerExample();
    }
}

reproduce issue from CURL 1.

curl -X XYZ --insecure http://localhost:4568/ Response -> <!doctype html>Welcome

2.

curl -X XYZ --insecure http://localhost:4568/manifest.json Response -> { "icons": [ { "src": "favicon.png", "sizes": "48x48",

The XYZ above call is invalid HTTP method.

The app should not respond to any invalid http method, adding filter "/" is not considered.

Could any help to fix this. dev.zip

[senyast4745]

@Prashantha-AV @perwendel Hi. I think the correct behavior is to return a 405 code if the file is found, but the http method is not supported. Do you agree?