Problem using & in the Documentation URI

[maycson-ciandt]

Description

In all versions of Structurizr when trying to access a URL that contains a URI with & Structurizr is adding a ; inside the URI and this causes a Tomcat error.

27-Dec-2023 14:15:32.542 SEVERE [http-nio-8080-exec-3] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [root] in c
ontext with path [] threw exception
        org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially maliciou
s String ";"
                at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlocklistedUrls(StrictHttpFirewall.java:456)
                at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:429)
                at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:196)
                at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183)
                at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354)
                at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
                at com.structurizr.onpremises.web.NoOpSpringSessionRepositoryFilter.doFilter(NoOpSpringSessionRepositoryFilter.java:14)
                at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354)
                at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
                at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
                at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
                at org.springframework.web.filter.ForwardedHeaderFilter.doFilterInternal(ForwardedHeaderFilter.java:156)
                at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
                at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:177)
                at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
                at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
                at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
                at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
                at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:891)
                at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1784)
                at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
                at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
                at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
                at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                at java.base/java.lang.Thread.run(Unknown Source)

Steps to reproduce

1 - Add documentation to your workspace.dsl that contains an & 2 - Access the URL of the documentation you created 3 - You will get an Error 500 and an exception in your log /usr/local/tomcat/logs/localhost.$(date +"%Y-%m-%d").log

Screenshot

Code sample

group "In Scope" {
            joyImportClaim = softwareSystem "Joy Reward Codes Import & Claim" "Imports valid reward codes and allows a User to claim a reward code for a promotional campaign." {
                !adrs adr
                group "Persistent Data Solutions" {
                    rewardDatabase = container "Joy Reward Database" "Contains the valid rewards for the promotional campaigns." "Couchbase" {
                        !docs doc/database
                        tags "Persistent Storage"
                    }
                }

Configuration

Build 3115

Severity

Minor

Priority

I have no budget and there's no rush, please fix this for free

More information

I tested this on many versions from the oldest to the most recent and the problem continues. I also tried to solve it by changing my server.xml but I was unsuccessful. relaxedPathChars='[]|;' relaxedQueryChars='[]|;{}^\`"<>&'

[simonbrowndotje]

I think this should now be resolved in build 3263.

[maycson-ciandt]

Thank you @simonbrowndotje