/**
* Ensure the path does not contain a file extension, either in the filename
* (e.g. "/jsonp.bat") or possibly after path parameters ("/jsonp;Setup.bat")
* which could be used for RFD exploits.
* <p>Since the last part of the path is expected to be a transport type, the
* presence of an extension would not work. All we need to do is check if
* there are any path parameters, which would have been removed from the
* SockJS path during request mapping, and if found reject the request.
private boolean validatePath(ServerHttpRequest request) {
String path = request.getURI().getPath();
int index = path.lastIndexOf('/') + 1;
String filename = path.substring(index);
return (filename.indexOf(';') == -1);
@Nullable protected final String getCallbackParam(ServerHttpRequest request) { String query = request.getURI().getQuery(); MultiValueMap<String, String> params = UriComponentsBuilder.newInstance().query(query).build().getQueryParams(); String value = params.getFirst("c"); if (StringUtils.isEmpty(value)) { return null; String result = UriUtils.decode(value, StandardCharsets.UTF_8); return (CALLBACK_PARAM_PATTERN.matcher(result).matches() ? result : null);
@Override public void upgrade(ServerHttpRequest request, ServerHttpResponse response, String selectedProtocol, List<WebSocketExtension> selectedExtensions, Principal user, WebSocketHandler wsHandler, Map<String, Object> attributes) throws HandshakeFailureException { Assert.isInstanceOf(ServletServerHttpRequest.class, request, "ServletServerHttpRequest required"); HttpServletRequest servletRequest = ((ServletServerHttpRequest) request).getServletRequest(); Assert.isInstanceOf(ServletServerHttpResponse.class, response, "ServletServerHttpResponse required"); HttpServletResponse servletResponse = ((ServletServerHttpResponse) response).getServletResponse(); Assert.isTrue(this.factory.isUpgradeRequest(servletRequest, servletResponse), "Not a WebSocket handshake"); JettyWebSocketSession session = new JettyWebSocketSession(attributes, user); JettyWebSocketHandlerAdapter handlerAdapter = new JettyWebSocketHandlerAdapter(wsHandler, session); WebSocketHandlerContainer container = new WebSocketHandlerContainer(handlerAdapter, selectedProtocol, selectedExtensions); try { containerHolder.set(container); this.factory.acceptWebSocket(servletRequest, servletResponse); catch (IOException ex) { throw new HandshakeFailureException( "Response update failed during upgrade to WebSocket: " + request.getURI(), ex); finally { containerHolder.remove();
failure = new HandshakeFailureException("Uncaught failure for request " + request.getURI(), ex);
@Override public void handleRequest(HttpServletRequest servletRequest, HttpServletResponse servletResponse) throws ServletException, IOException { ServerHttpRequest request = new ServletServerHttpRequest(servletRequest); ServerHttpResponse response = new ServletServerHttpResponse(servletResponse); try { this.sockJsService.handleRequest(request, response, getSockJsPath(servletRequest), this.webSocketHandler); catch (Throwable ex) { throw new SockJsException("Uncaught failure in SockJS request, uri=" + request.getURI(), ex);
failure = new HandshakeFailureException("Uncaught failure for request " + request.getURI(), ex);
logger.debug(request.getMethod() + " " + request.getURI());
@Test public void getURI() throws Exception { this.mockRequest.addFile(new MockMultipartFile("part", "", "application/json", "content".getBytes("UTF-8"))); ServerHttpRequest request = new RequestPartServletServerHttpRequest(this.mockRequest, "part"); URI uri = new URI("http://example.com/path?query"); this.mockRequest.setServerName(uri.getHost()); this.mockRequest.setServerPort(uri.getPort()); this.mockRequest.setRequestURI(uri.getPath()); this.mockRequest.setQueryString(uri.getQuery()); assertEquals(uri, request.getURI());
if (transportType == null) {
if (logger.isWarnEnabled()) {
logger.warn("Unknown transport type for " + request.getURI());
if (transportHandler == null) {
if (logger.isWarnEnabled()) {
logger.warn("No TransportHandler for " + request.getURI());
failure = new SockJsException("Uncaught failure for request " + request.getURI(), sessionId, ex);
.query(request.getURI().getRawQuery())
.build(true)
.toUri();
SockJsFrameFormat frameFormat) throws SockJsException {
this.uri = request.getURI();
this.handshakeHeaders = request.getHeaders();
this.principal = request.getPrincipal();
@Override public Handler getHandler(ServerHttpRequest request) { if (this.requestUri.equals(request.getURI().getPath())) { return this.handler; return null;
@RestController public class GreetingController { @GetMapping("/greetings") public Mono<Greeting> greeting(ServerHttpRequest request) { return Mono.just(new Greeting("Hello..." + request.getURI().toString()));
@Nullable protected final String getCallbackParam(ServerHttpRequest request) { String query = request.getURI().getQuery(); MultiValueMap<String, String> params = UriComponentsBuilder.newInstance().query(query).build().getQueryParams(); String value = params.getFirst("c"); if (StringUtils.isEmpty(value)) { return null; String result = UriUtils.decode(value, StandardCharsets.UTF_8); return (CALLBACK_PARAM_PATTERN.matcher(result).matches() ? result : null);
@Nullable protected final String getCallbackParam(ServerHttpRequest request) { String query = request.getURI().getQuery(); MultiValueMap<String, String> params = UriComponentsBuilder.newInstance().query(query).build().getQueryParams(); String value = params.getFirst("c"); if (StringUtils.isEmpty(value)) { return null; String result = UriUtils.decode(value, StandardCharsets.UTF_8); return (CALLBACK_PARAM_PATTERN.matcher(result).matches() ? result : null);
@Override public void handleRequest(HttpServletRequest servletRequest, HttpServletResponse servletResponse) throws ServletException, IOException { ServerHttpRequest request = new ServletServerHttpRequest(servletRequest); ServerHttpResponse response = new ServletServerHttpResponse(servletResponse); try { this.sockJsService.handleRequest(request, response, getSockJsPath(servletRequest), this.webSocketHandler); catch (Throwable ex) { throw new SockJsException("Uncaught failure in SockJS request, uri=" + request.getURI(), ex);
@Override public void handleRequest(HttpServletRequest servletRequest, HttpServletResponse servletResponse) throws ServletException, IOException { ServerHttpRequest request = new ServletServerHttpRequest(servletRequest); ServerHttpResponse response = new ServletServerHttpResponse(servletResponse); try { this.sockJsService.handleRequest(request, response, getSockJsPath(servletRequest), this.webSocketHandler); catch (Throwable ex) { throw new SockJsException("Uncaught failure in SockJS request, uri=" + request.getURI(), ex);