Skip to content

UnsupportedOperationException when an http header is being added to a mutated ServerWebExchange request due to the new StrictFirewallHttpHeaders class #16002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sestrel opened this issue Oct 25, 2024 · 6 comments
Closed

UnsupportedOperationException when an http header is being added to a mutated ServerWebExchange request due to the new StrictFirewallHttpHeaders class #16002

sestrel opened this issue Oct 25, 2024 · 6 comments
Assignees
@evgeniycheban
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug

Comments

@sestrel
Copy link

sestrel commented Oct 25, 2024

Spring Boot 3.3.5 includes spring-security-web-6.3.4.jar. The newly introduced class org.springframework.security.web.server.firewall.StrictServerWebExchangeFirewall$StrictFirewallServerWebExchange$StrictFirewallHttpRequest$StrictFirewallHttpHeaders isn't supported by org.springframework.http.HttpHeaders.writableHttpHeaders(). As a result the following exception is being thrown if the ServerWebExchange webflux request is being mutated and an http header is modified or added:
java.lang.UnsupportedOperationException: null at org.springframework.http.ReadOnlyHttpHeaders.put(ReadOnlyHttpHeaders.java:130) ~[spring-web-6.1.14.jar:6.1.14] Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException: Error has been observed at the following site(s): *__checkpoint ⇢ org.springframework.security.web.server.authorization.AuthorizationWebFilter [DefaultWebFilterChain] *__checkpoint ⇢ org.springframework.security.web.server.authorization.ExceptionTranslationWebFilter [DefaultWebFilterChain] *__checkpoint ⇢ org.springframework.security.web.server.authentication.logout.LogoutWebFilter [DefaultWebFilterChain] *__checkpoint ⇢ org.springframework.security.web.server.savedrequest.ServerRequestCacheWebFilter [DefaultWebFilterChain] *__checkpoint ⇢ org.springframework.security.web.server.context.SecurityContextServerWebExchangeWebFilter [DefaultWebFilterChain] *__checkpoint ⇢ org.springframework.security.web.server.context.ReactorContextWebFilter [DefaultWebFilterChain] *__checkpoint ⇢ org.springframework.security.web.server.header.HttpHeaderWriterWebFilter [DefaultWebFilterChain] *__checkpoint ⇢ org.springframework.security.config.web.server.ServerHttpSecurity$ServerWebExchangeReactorContextWebFilter [DefaultWebFilterChain] *__checkpoint ⇢ org.springframework.security.web.server.WebFilterChainProxy [DefaultWebFilterChain] *__checkpoint ⇢ org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers$MutatorFilter [DefaultWebFilterChain] *__checkpoint ⇢ HTTP GET "/api/mycontroller" [ExceptionHandlingWebHandler] Original Stack Trace: at org.springframework.http.ReadOnlyHttpHeaders.put(ReadOnlyHttpHeaders.java:130) ~[spring-web-6.1.14.jar:6.1.14] at org.springframework.http.ReadOnlyHttpHeaders.put(ReadOnlyHttpHeaders.java:39) ~[spring-web-6.1.14.jar:6.1.14] at org.springframework.http.HttpHeaders.put(HttpHeaders.java:1779) ~[spring-web-6.1.14.jar:6.1.14] at org.springframework.http.server.reactive.DefaultServerHttpRequestBuilder.header(DefaultServerHttpRequestBuilder.java:110) ~[spring-web-6.1.14.jar:6.1.14] at app.SetHttpHeaderWebFilter.filter(SetHttpHeaderWebFilter.java:21) ~[main/:na] at org.springframework.web.server.handler.DefaultWebFilterChain.invokeFilter(DefaultWebFilterChain.java:114) ~[spring-web-6.1.14.jar:6.1.14]

I set up a small github project github StrictFirewallHttpHeaders. Simply run "gradlew clean test" to reproduce the error.
@sestrel sestrel added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Oct 25, 2024
@evgeniycheban
Copy link
Contributor

Hi, @jzheaux, can I work on this?

@ducvo-kms
Copy link

@sestrel, @evgeniycheban
. We have the same issue. I found issue reported and fixed in spring-projects/spring-framework#33789 in commit spring-projects/spring-framework@a06bbcc

@jzheaux
Copy link
Contributor

jzheaux commented Oct 28, 2024

Sure, @evgeniycheban. You might begin by writing a failing test and seeing if it passes once you update to the latest Spring Framework snapshot.

@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 28, 2024
@rwinch
Copy link
Member

rwinch commented Oct 28, 2024
edited
Loading

Closing as duplicate of #15989 which is superseded by spring-projects/spring-framework#33789

@rwinch rwinch closed this as completed Oct 28, 2024
@rwinch rwinch mentioned this issue Oct 28, 2024
Closed
@keerthimunikoti1807
Copy link

keerthimunikoti1807 commented Oct 29, 2024
edited
Loading

I tried to upgrade spring-security-web to 6.3.4 to fix CVE-2024-38821 and faced this issue.

@rwinch I use putHeaders function where it replaces original headers with new headers. Could you please tell me how I can modify this to work?

private void putHeaders(HttpHeaders origHeaders, HttpHeaders newHeaders) {
newHeaders.forEach((key, value) -> origHeaders.put(key, value));
}

ServerHttpRequest request =
exchange.getRequest().mutate().headers(headers -> putHeaders(headers, newHeaders)).build();

@rwinch
Copy link
Member

rwinch commented Oct 29, 2024

@keerthimunikoti1807 Did you see the workaround in the the issue that I indicated that this duplicates?

@evgeniycheban evgeniycheban mentioned this issue Nov 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@evgeniycheban evgeniycheban

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rwinch @jzheaux @evgeniycheban @sestrel @ducvo-kms @keerthimunikoti1807