From ed734d7e438ae318f486a26ec096ef0bed21c183 Mon Sep 17 00:00:00 2001
From: Madhura Bhave <mbhave@pivotal.io>
Date: Wed, 6 Jun 2018 11:43:20 -0700
Subject: [PATCH] Trace filter ignores invalid requests

Fixes gh-12987
---
 .../web/trace/servlet/HttpTraceFilter.java       | 16 ++++++++++++++++
 .../trace/http/servlet/HttpTraceFilterTests.java |  9 +++++++++
 2 files changed, 25 insertions(+)

diff --git a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/web/trace/servlet/HttpTraceFilter.java b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/web/trace/servlet/HttpTraceFilter.java
index 25a70c33f4..30ad132bea 100644
--- a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/web/trace/servlet/HttpTraceFilter.java
+++ b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/web/trace/servlet/HttpTraceFilter.java
@@ -17,6 +17,8 @@
 package org.springframework.boot.actuate.web.trace.servlet;
 
 import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -76,6 +78,10 @@ public class HttpTraceFilter extends OncePerRequestFilter implements Ordered {
 	protected void doFilterInternal(HttpServletRequest request,
 			HttpServletResponse response, FilterChain filterChain)
 			throws ServletException, IOException {
+		if (!isRequestValid(request)) {
+			filterChain.doFilter(request, response);
+			return;
+		}
 		TraceableHttpServletRequest traceableRequest = new TraceableHttpServletRequest(
 				request);
 		HttpTrace trace = this.tracer.receivedRequest(traceableRequest);
@@ -95,6 +101,16 @@ public class HttpTraceFilter extends OncePerRequestFilter implements Ordered {
 		}
 	}
 
+	private boolean isRequestValid(HttpServletRequest request) {
+		try {
+			new URI(request.getRequestURL().toString());
+			return true;
+		}
+		catch (URISyntaxException ex) {
+			return false;
+		}
+	}
+
 	private String getSessionId(HttpServletRequest request) {
 		HttpSession session = request.getSession(false);
 		return (session != null ? session.getId() : null);
diff --git a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/http/servlet/HttpTraceFilterTests.java b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/http/servlet/HttpTraceFilterTests.java
index 708a03135c..4bc332e527 100644
--- a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/http/servlet/HttpTraceFilterTests.java
+++ b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/http/servlet/HttpTraceFilterTests.java
@@ -127,4 +127,13 @@ public class HttpTraceFilterTests {
 		}
 	}
 
+	@Test
+	public void filterRejectsInvalidRequests() throws ServletException, IOException {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setServerName("<script>alert(document.domain)</script>");
+		this.filter.doFilter(request, new MockHttpServletResponse(),
+				new MockFilterChain());
+		assertThat(this.repository.findAll()).hasSize(0);
+	}
+
 }