Trace filter ignores invalid requests

Fixes gh-12987

spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/web/trace/servlet/HttpTraceFilter.java

@@ -17,6 +17,8 @@
 package org.springframework.boot.actuate.web.trace.servlet;
 
 import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -76,6 +78,10 @@ public class HttpTraceFilter extends OncePerRequestFilter implements Ordered {
 	protected void doFilterInternal(HttpServletRequest request,
 			HttpServletResponse response, FilterChain filterChain)
 			throws ServletException, IOException {
+		if (!isRequestValid(request)) {
+			filterChain.doFilter(request, response);
+			return;
+		}
 		TraceableHttpServletRequest traceableRequest = new TraceableHttpServletRequest(
 				request);
 		HttpTrace trace = this.tracer.receivedRequest(traceableRequest);
@@ -95,6 +101,16 @@ public class HttpTraceFilter extends OncePerRequestFilter implements Ordered {
 		}
 	}
 
+	private boolean isRequestValid(HttpServletRequest request) {
+		try {
+			new URI(request.getRequestURL().toString());
+			return true;
+		}
+		catch (URISyntaxException ex) {
+			return false;
+		}
+	}
+
 	private String getSessionId(HttpServletRequest request) {
 		HttpSession session = request.getSession(false);
 		return (session != null ? session.getId() : null);

spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/http/servlet/HttpTraceFilterTests.java

@@ -127,4 +127,13 @@ public class HttpTraceFilterTests {
 		}
 	}
 
+	@Test
+	public void filterRejectsInvalidRequests() throws ServletException, IOException {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setServerName("<script>alert(document.domain)</script>");
+		this.filter.doFilter(request, new MockHttpServletResponse(),
+				new MockFilterChain());
+		assertThat(this.repository.findAll()).hasSize(0);
+	}
+
 }