* A strict implementation of {@link HttpFirewall} that rejects any suspicious requests * with a {@link RequestRejectedException}. + *
+ *+ * The following rules are applied to the firewall: + *
+ *+ * Determines if semicolon is allowed in the URL (i.e. matrix variables). The default + * is to disable this behavior because it is a common way of attempting to bypass URL + * based security. + *
+ *For example, the following CVEs are a subset of the issues related + * to ambiguities in the Servlet Specification on how to treat semicolons that + * led to CVEs: + *
+ *+ * If you are wanting to allow semicolons, please reconsider as it is a very common + * source of security bypasses. A few common reasons users want semicolons and + * alternatives are listed below: + *
+ *+ * Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path + * or not. The default is to not allow this behavior because it is a common way to + * bypass URL based security. + *
+ *+ * For example, due to ambiguities in the servlet specification, the value is not + * parsed consistently which results in different values in {@code HttpServletRequest} + * path related values which allow bypassing certain security constraints. + *
+ * + * @param allowUrlEncodedSlash should a slash "/" that is URL encoded "%2F" be allowed + * in the path or not. Default is false. + */ public void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash) { if (allowUrlEncodedSlash) { urlBlacklistsRemoveAll(FORBIDDEN_FORWARDSLASH); @@ -79,6 +155,23 @@ public class StrictHttpFirewall implements HttpFirewall { } } + /** + *+ * Determines if a period "." that is URL encoded "%2E" should be allowed in the path + * or not. The default is to not allow this behavior because it is a frequent source + * of security exploits. + *
+ *+ * For example, due to ambiguities in the servlet specification a URL encoded period + * might lead to bypassing security constraints through a directory traversal attack. + * This is because the path is not parsed consistently which results in different + * values in {@code HttpServletRequest} path related values which allow bypassing + * certain security constraints. + *
+ * + * @param allowUrlEncodedPeriod should a period "." that is URL encoded "%2E" be + * allowed in the path or not. Default is false. + */ public void setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod) { if (allowUrlEncodedPeriod) { this.encodedUrlBlacklist.removeAll(FORBIDDEN_ENCODED_PERIOD); @@ -87,6 +180,23 @@ public class StrictHttpFirewall implements HttpFirewall { } } + /** + *+ * Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in + * the path or not. The default is not to allow this behavior because it is a frequent + * source of security exploits. + *
+ *+ * For example, due to ambiguities in the servlet specification a URL encoded period + * might lead to bypassing security constraints through a directory traversal attack. + * This is because the path is not parsed consistently which results in different + * values in {@code HttpServletRequest} path related values which allow bypassing + * certain security constraints. + *
+ * + * @param allowBackSlash a backslash "\" or a URL encoded backslash "%5C" be allowed + * in the path or not. Default is false + */ public void setAllowBackSlash(boolean allowBackSlash) { if (allowBackSlash) { urlBlacklistsRemoveAll(FORBIDDEN_BACKSLASH); @@ -95,6 +205,20 @@ public class StrictHttpFirewall implements HttpFirewall { } } + /** + *+ * Determines if a percent "%" that is URL encoded "%25" should be allowed in the path + * or not. The default is not to allow this behavior because it is a frequent source + * of security exploits. + *
+ *+ * For example, this can lead to exploits that involve double URL encoding that lead + * to bypassing security constraints. + *
+ * + * @param allowUrlEncodedPercent if a percent "%" that is URL encoded "%25" should be + * allowed in the path or not. Default is false + */ public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent) { if (allowUrlEncodedPercent) { this.encodedUrlBlacklist.remove(ENCODED_PERCENT);