You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Spring supports Matrix variables.
When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path
that may contain matrix variables.
In this situation, the Armeria decorators might not invoked because of the matrix variables.
Let's see the following example:
// Spring controller
@GetMapping("/important/resources")
public String important() {...}
// Armeria decorator
ServerBuilder sb = ...
sb.decoratorUnder("/important/", authService);
If an attacker sends a request with /important;a=b/resources, the request would bypass the authrorizer
Impact
Spring supports Matrix variables.
When Spring integration is used, Armeria calls Spring controllers via
TomcatServiceorJettyServicewith the paththat may contain matrix variables.
In this situation, the Armeria decorators might not invoked because of the matrix variables.
Let's see the following example:
If an attacker sends a request with
/important;a=b/resources, the request would bypass the authrorizerPatches
Workarounds
Users can add decorators using regex.
e.g. "regex:^/important.*"