1

A security company has flagged our Spring Boot 2.3.4 applications for the error response returned when an HTTP TRACE request is sent. We are using the Tomcat container which already has the HTTP TRACE disabled by default, however the response does contain TRACE information. This is the output:

$ curl -k -i -X TRACE --cookie "VULNERABLE=Yes" http://localhost:9090

HTTP/1.1 405
Allow: HEAD, DELETE, POST, GET, OPTIONS, PUT
Content-Type: message/http
Content-Length: 116
Date: Fri, 16 Oct 2020 20:41:51 GMT

TRACE /error HTTP/1.1
host: localhost:9090
user-agent: curl/7.64.1
accept: */*
cookie: VULNERABLE=Yes

The only way I have been able to change this is to enable HTTP TRACE requests with this code in the configuration class annotated with "@Configuration":

    @Bean
    public WebServerFactoryCustomizer<TomcatServletWebServerFactory> tomcatCustomizer() {
        return customizer -> customizer.addConnectorCustomizers(connector -> {
            connector.setAllowTrace(true);  // filtered in the SecurityFilter with custom error
        });
    }

Then I have added a servlet filter to intercept the request and return a custom response:

@Component
@Order(1)
public class SecurityFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest servletRequest,
                         ServletResponse servletResponse,
                         FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        if (HttpMethod.TRACE.name().equals(request.getMethod())) {
            // trace not allowed
            HttpServletResponse response = (HttpServletResponse) servletResponse;
            response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
            response.setContentType("message/http");
            response.getWriter().println("TRACE method not allowed");
            response.getWriter().flush();
            return;
        }
        filterChain.doFilter(servletRequest,servletResponse);
    }

    @Override
    public void destroy() {
    }
}

The response from that same curl request is:

HTTP/1.1 405 
Content-Type: message/http;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 12 Nov 2020 19:11:13 GMT

TRACE method not allowed

Has anyone encountered a similar issue? It seems like enabling trace just to be able to change the response body is not a good idea.

Jesse
  • 723
  • 1
  • 5
  • 5
  • there are 3 ways you can do it this in spring boot, check https://stackoverflow.com/questions/42367975/disable-http-options-method-in-spring-boot-application – ozkanpakdil Dec 10 '20 at 22:36

3 Answers3

0

you can set

spring.mvc.dispatch-trace-request: true

in your application.yml.

then, "org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController" will create error response without any trace information.

regards.

iwa
  • 1
0

I was faced with this same issue.

I found a discussion about this issue here: https://github.com/spring-projects/spring-boot/issues/27372

Example fix is here: https://github.com/juliojgd/sb-trace-http-test/pull/1/files#diff-aa5c385c4035be84995a138ca69a667c1d5e1460c4d675ab70275b1783f222c3

Note: Where that example has @Import, replace that with @ImportAutoConfiguration instead.

This resolved the issue for me. Hopefully you have the same experience if you haven't already addressed it.

C. Smith
  • 411
  • 2
  • 8
0

to enable TRACE in your application we need to add below in application.yml

spring:
    mvc:
        dispatch-trace-request: true

application.properties

spring.mvc.dispatch-trace-request: true
Pritam Patil
  • 89
  • 3