SparkJava - failed to validate http methods for Static files

Question

SparkJava - failed to validate http methods for Static files

Prashantha-AV opened this issue 4 years ago · comments

HI,

Need help on static files

Issue : When the application startup, the static file can be accessed with any(GET,POST, XXX) http method
Application fails in Vulnerability scan as below
identified: - Verb tampering, Only allow required http methods e.g. get, post.

Spark Java version : spark-core:2.7.2
Server: Jetty(9.4.14.v20181114)

is it possible to add filter or some other alternative to stop accessing the static information from CURL or POSTMAN ?

Sample reproducer

import static spark.Spark.halt;
import spark.Service;
public class ServerExample {

    public ServerExample() {
        Service service = Service.ignite().port(4568);
        service.staticFiles.externalLocation("C:\\dev");  //file attached for dev folder

        service.before((req, res) -> {
            System.out.println("Hello:" + req.headers());
        });

        service.get("/", (req, res) -> {
            if (!req.requestMethod().equalsIgnoreCase("GET")) {
                halt(401, "invalid Http method");
            }
            return null;
        });
    }
    public static void main(String[] args) {
        new ServerExample();
    }
}

reproduce issue from CURL
1.

curl -X XYZ --insecure http://localhost:4568/
Response -> <!doctype html>Welcome

curl -X XYZ --insecure http://localhost:4568/manifest.json
Response ->
{
"icons": [
{
"src": "favicon.png",
"sizes": "48x48",

The XYZ above call is invalid HTTP method.

The app should not respond to any invalid http method, adding filter "/" is not considered.

Could any help to fix this.
dev.zip

Arseny Druzhinin · Answer 1 · Wed Feb 17 2021 17:33:37 GMT+0800 (China Standard Time)

@Prashantha-AV @perwendel
Hi. I think the correct behavior is to return a 405 code if the file is found, but the http method is not supported. Do you agree?