SparkJava - failed to validate http methods for Static files
Prashantha-AV opened this issue · comments
HI,
Need help on static files
Issue : When the application startup, the static file can be accessed with any(GET,POST, XXX) http method
Application fails in Vulnerability scan as below
identified: - Verb tampering, Only allow required http methods e.g. get, post.
Spark Java version : spark-core:2.7.2
Server: Jetty(9.4.14.v20181114)
is it possible to add filter or some other alternative to stop accessing the static information from CURL or POSTMAN ?
Sample reproducer
import static spark.Spark.halt;
import spark.Service;
public class ServerExample {
public ServerExample() {
Service service = Service.ignite().port(4568);
service.staticFiles.externalLocation("C:\\dev"); //file attached for dev folder
service.before((req, res) -> {
System.out.println("Hello:" + req.headers());
});
service.get("/", (req, res) -> {
if (!req.requestMethod().equalsIgnoreCase("GET")) {
halt(401, "invalid Http method");
}
return null;
});
}
public static void main(String[] args) {
new ServerExample();
}
}
reproduce issue from CURL
1.
curl -X XYZ --insecure http://localhost:4568/
Response -> <!doctype html>Welcome
curl -X XYZ --insecure http://localhost:4568/manifest.json
Response ->
{
"icons": [
{
"src": "favicon.png",
"sizes": "48x48",
The XYZ above call is invalid HTTP method.
The app should not respond to any invalid http method, adding filter "/" is not considered.
Could any help to fix this.
dev.zip
@Prashantha-AV @perwendel
Hi. I think the correct behavior is to return a 405 code if the file is found, but the http method is not supported. Do you agree?