A security company has flagged our Spring Boot 2.3.4 applications for the error response returned when an HTTP TRACE request is sent. We are using the Tomcat container which already has the HTTP TRACE disabled by default, however the response does contain TRACE information. This is the output:
$ curl -k -i -X TRACE --cookie "VULNERABLE=Yes" http://localhost:9090
HTTP/1.1 405
Allow: HEAD, DELETE, POST, GET, OPTIONS, PUT
Content-Type: message/http
Content-Length: 116
Date: Fri, 16 Oct 2020 20:41:51 GMT
TRACE /error HTTP/1.1
host: localhost:9090
user-agent: curl/7.64.1
accept: */*
cookie: VULNERABLE=Yes
The only way I have been able to change this is to enable HTTP TRACE requests with this code in the configuration class annotated with "@Configuration":
@Bean
public WebServerFactoryCustomizer<TomcatServletWebServerFactory> tomcatCustomizer() {
return customizer -> customizer.addConnectorCustomizers(connector -> {
connector.setAllowTrace(true); // filtered in the SecurityFilter with custom error
});
}
Then I have added a servlet filter to intercept the request and return a custom response:
@Component
@Order(1)
public class SecurityFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
if (HttpMethod.TRACE.name().equals(request.getMethod())) {
// trace not allowed
HttpServletResponse response = (HttpServletResponse) servletResponse;
response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
response.setContentType("message/http");
response.getWriter().println("TRACE method not allowed");
response.getWriter().flush();
return;
}
filterChain.doFilter(servletRequest,servletResponse);
}
@Override
public void destroy() {
}
}
The response from that same curl request is:
HTTP/1.1 405
Content-Type: message/http;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 12 Nov 2020 19:11:13 GMT
TRACE method not allowed
Has anyone encountered a similar issue? It seems like enabling trace just to be able to change the response body is not a good idea.