The request was rejected because the URL contained a potentially malicious String ";"报错解决

报错信息

浏览器中看到的报错

错误摘要：

The request was rejected because the URL contained a potentially malicious String ";"

从控制台看到的报错

2019-09-09 10:39:30,149 ERROR (DirectJDKLog.java:182)- Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
	at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)
	at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

环境信息

***Springboot2.0 + Spring Security ***

代码追踪

我们可以找到org.springframework.security.web.firewall.StrictHttpFirewall

/**
 * <p>
 * Determines if semicolon is allowed in the URL (i.e. matrix variables). The default
 * is to disable this behavior because it is a common way of attempting to perform
 * <a href="https://www.owasp.org/index.php/Reflected_File_Download">Reflected File Download Attacks</a>.
 * It is also the source of many exploits which bypass URL based security.
 * </p>
 * <p>For example, the following CVEs are a subset of the issues related
 * to ambiguities in the Servlet Specification on how to treat semicolons that
 * led to CVEs:
 * </p>
 * <ul>
 *     <li><a href="https://pivotal.io/security/cve-2016-5007">cve-2016-5007</a></li>
 *     <li><a href="https://pivotal.io/security/cve-2016-9879">cve-2016-9879</a></li>
 *     <li><a href="https://pivotal.io/security/cve-2018-1199">cve-2018-1199</a></li>
 * </ul>
 *
 * <p>
 * If you are wanting to allow semicolons, please reconsider as it is a very common
 * source of security bypasses. A few common reasons users want semicolons and
 * alternatives are listed below:
 * </p>
 * <ul>
 * <li>Including the JSESSIONID in the path - You should not include session id (or
 * any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.
 * </li>
 * <li>Matrix Variables - Users wanting to leverage Matrix Variables should consider
 * using HTTP parameters instead.
 * </li>
 * </ul>
 *
 * @param allowSemicolon should semicolons be allowed in the URL. Default is false
 */
public void setAllowSemicolon(boolean allowSemicolon) {
	if (allowSemicolon) {
		urlBlacklistsRemoveAll(FORBIDDEN_SEMICOLON);
	} else {
		urlBlacklistsAddAll(FORBIDDEN_SEMICOLON);
	}
}

这里提到了，如果您想要分号，请重新考虑，因为它是安全绕过的一个非常常见的来源。 下面列出了用户需要分号和替代品的一些常见原因：

在路径中包含JSESSIONID - 您不应在URL中包含会话ID（或任何敏感信息），因为它可能导致泄漏。 而是使用Cookies。

解决方案

@SpringBootApplication
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }

    @Bean
    public HttpFirewall allowUrlSemicolonHttpFirewall() {
        StrictHttpFirewall firewall = new StrictHttpFirewall();
        firewall.setAllowSemicolon(true);
        return firewall;
    }
}

放开了该安全限制，就不会遇到该报错了，不适合对于安全性要求非常高的应用。