[#1025] - Shiro's InvalidRequestFilter blocks valid paths with encoded slashes

[haster]

fixes #1025 Adds a 3-valued enum for path-traversal-blockmode. Default is NORMAL, which only blocks actual paths. STRICT also blocks encoded slashes ('/') and periods ('.'). NO_BLOCK disables.

This enables a mode to block actual path traversal while still allowing for encoded URLs and such to be present as path parameter.

Following this checklist to help us incorporate your contribution quickly and easily:

• [x] Make sure there is a GitHub issue filed for the change (usually before you start working on it). Trivial changes like typos do not require a GitHub issue. Your pull request should address just this issue, without pulling in other changes.
• [x] Each commit in the pull request should have a meaningful subject line and body.
• [x] Format the pull request title like [#XXX] - Fixes bug in SessionManager, where you replace #XXX with the appropriate GitHub issue. Best practice is to use the GitHub issue title in the pull request title and in the first line of the commit message.
• [x] Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• [x] add fixes #XXX if merging the PR should close a related issue.
• [x] Run mvn verify to make sure basic checks pass. A more thorough check will be performed on your pull request automatically.
• [x] If you have a group of commits related to the same change, please squash your commits into one and force push your branch using git rebase -i.
• [x] Committers: Make sure a milestone is set on the PR

Trivial changes like typos do not require a GitHub issue (javadoc, comments...). In this case, just format the pull request title like [DOC] - Add javadoc in SessionManager.

If this is your first contribution, you have to read the Contribution Guidelines

If your pull request is about ~20 lines of code you don't need to sign an Individual Contributor License Agreement if you are unsure please ask on the developers list.

To make clear that you license your contribution under the Apache License Version 2.0, January 2004 you have to acknowledge this by using the following check-box.

• [x] I hereby declare this contribution to be licenced under the Apache License Version 2.0, January 2004
• [ ] In any other case, please file an Apache Individual Contributor License Agreement.

[bdemers]

Thanks for the PR @haster! (and sorry for the delay with the response)

I can see the desire to make this more flexible, but we need to make sure we retain backwards compatibility with the current versions of Shiro. e.g. restore the boolean getter's, (though we could deprecate it too)

I think the default value should be what you have defined as STRICT (secure by default)

Possibly enum values of ENABLED, LAX, and DISABLED? Where LAX, (or something better named), is your current NORMAL?

  /**
     * 
     * @deprecated Use {@link #getBlockTraversal()}
     */
    @Deprecated
public boolean isBlockTraversal() {
  // we could even add a log warning here 🤷
  return this.pathTraversalBlockMode != DISABLED;
}

Thoughts / suggestions? (other ideas for the term LAX)?

[ansidev]

Are there any updates on this issue?

[lprimak]

@haster what do you think about @bdemers suggestions?

[lprimak]

There are still issues with this PR that remain unresolved, and it seems the author has abandoned it. We are happy to accept improvements to this PR or another PR to resolve the outstanding issues