search

perwendel / spark

A simple expressive web framework for java. Spark has a kotlin DSL https://github.com/perwendel/spark-kotlin
Apache License 2.0
9.64k stars 1.56k forks source link

path parameterin request.params is not accessible in before filter #962

Closed M-Razavi closed 5 years ago

M-Razavi commented 6 years ago

I want to check all parameters in a before filter for XSS attack and escape them, but param size is 0 in before filter until mail request.

jon-ruckwood commented 5 years ago

Yes, I've observed this in 2.8.0. Given:

public static void main(String[] args) {
    Service spark = Service.ignite();

    spark.get("/foobar/:id", (request, response) -> {
        System.out.println("get: " + request.params("id"));
        return null;
    });

    spark.before((request, response) -> System.out.println("before: " + request.params("id")));

    spark.after((request, response) -> System.out.println("after: " + request.params("id")));

    spark.afterAfter((request, response) -> System.out.println("afterAfter: " + request.params("id")));

    spark.awaitInitialization();
}

when issuing: 

$ curl http://localhost:4567/foobar/123456

the following is printed to stdout:

before: null
get: 123456
after: null
afterAfter: null

So they are not available in any filter. I'm guessing this might not be an easy issue to fix?

tipsy commented 5 years ago

The route hasn't been matched yet, so the before filter can't know what the params are.