Security Misconfiguration: StrictHttpFirewall: Avoid DefaultHttpFirewall (method return type) :: Recipe Details

Recipe Name:

Security Misconfiguration: StrictHttpFirewall: Avoid DefaultHttpFirewall (method return type)

Description:

Using DefaultHttpFirewall may lead to security flaws

Level:

warning

Language:

java
kotlin

Tags:

Spring
security
framework specific
Spring Security
web

Documentation

Spring Security recommends the use of StrictHttpFirewall as it rejects malicious URLs instead of trying to sanitize them.

Before

public DefaultHttpFirewall httpFirewall() {
    return new DefaultHttpFirewall();
}

After

public StrictHttpFirewall allowUrlEncodedSlashHttpFirewall() {
    return new StrictHttpFirewall();
}

References

Spring docs API - DefaultHttpFirewall

Recipe

id: scw:spring:security:stricthttpfirewall-returntype
version: 10
metadata:
  name: 'Security Misconfiguration: StrictHttpFirewall: Avoid DefaultHttpFirewall (method return type)'
  shortDescription: Using DefaultHttpFirewall may lead to security flaws
  level: warning
  language: java; kotlin
  enabled: true
  descriptionFile: descriptions/AvoidDefaultHttpFirewallReturnType.html
  tags: Spring;security;framework specific;Spring Security;web
search:
  method:
    returnType: org.springframework.security.web.firewall.DefaultHttpFirewall
availableFixes:
- name: Use interface HttpFirewall
  actions:
  - changeType:
      type: org.springframework.security.web.firewall.HttpFirewall
- name: Use return type StrictHttpFirewall
  actions:
  - changeType:
      type: org.springframework.security.web.firewall.StrictHttpFirewall