Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject URL encoded double slash :: Recipe Details

Recipe Name:

Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject URL encoded double slash

Description:

Rejecting the use of a URL encoded double slash in the URL is more secure

Level:

warning

Language:

java

Tags:

Spring
security
framework specific
Spring Security
web

Documentation

Disallowing a URL encoded double slash ("%2F%2F") in the URL is more secure, as they are frequently used to bypass security constraints. Spring Security by default sets StrictHttpFirewall#setAllowUrlEncodedDoubleSlash to false.

Before

firewall.setAllowUrlEncodedDoubleSlash(true);

After

firewall.setAllowUrlEncodedDoubleSlash(false);

References

Spring docs API - StrictHttpFirewall#setAllowUrlEncodedDoubleSlash

Recipe

id: scw:spring:security:stricthttpfirewall-double-slash
version: 10
metadata:
  name: 'Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject URL encoded double slash'
  shortDescription: Rejecting the use of a URL encoded double slash in the URL is more secure
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/RejectURLEncodedDoubleSlash.html
  tags: Spring;security;framework specific;Spring Security;web
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "true"
    name: setAllowUrlEncodedDoubleSlash
    type: org.springframework.security.web.firewall.StrictHttpFirewall
availableFixes:
- name: Set setAllowUrlEncodedDoubleSlash to false
  actions:
  - modifyArguments:
      rewrite:
        1: "false"