Sensei Logo Sensei Hub

Recipe - Security Misconfiguration: StrictHttpFirewall: Avoid DefaultHttpFirewall (instance creation)

Description:
Using DefaultHttpFirewall may lead to security flaws
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • Spring Security
  • web
Documentation
Spring Security recommends the use of StrictHttpFirewall as it rejects malicious URLs instead of trying to sanitize them.
Before:
public void httpFirewall() {
    DefaultHttpFirewall firewall = new DefaultHttpFirewall();
}
After:
public void httpFirewall() {
    StrictHttpFirewall firewall = new StrictHttpFirewall();
}

Resources

Recipe
id: scw:spring:security:stricthttpfirewall-instance
version: 10
metadata:
  name: 'Security Misconfiguration: StrictHttpFirewall: Avoid DefaultHttpFirewall (instance creation)'
  shortDescription: Using DefaultHttpFirewall may lead to security flaws
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/AvoidDefaultHttpFirewallInstanceCreation.html
  tags: Spring;security;framework specific;Spring Security;web
search:
  instanceCreation:
    type: org.springframework.security.web.firewall.DefaultHttpFirewall
availableFixes:
- name: Use StrictHttpFirewall
  actions:
  - rewrite:
      to: new org.springframework.security.web.firewall.StrictHttpFirewall()
  - modifyAssignedVariable:
      type: org.springframework.security.web.firewall.StrictHttpFirewall