Regression: ResourceUrlEncodingFilter can throw StringIndexOutOfBoundsException with relative URL [SPR-13847]

[spring-projects-issues]

Dallas Hopewell opened SPR-13847 and commented

I have a web application that is throwing the following exception after updating from Spring Framework version 4.1.7 to 4.2.4

Caused by java.lang.StringIndexOutOfBoundsException: String index out of range: -3
  java.lang.String.substring(String.java:1967)
  org.springframework.web.servlet.resource.ResourceUrlEncodingFilter$ResourceUrlEncodingResponseWrapper.encodeURL(ResourceUrlEncodingFilter.java:80)
  javax.servlet.http.HttpServletResponseWrapper.encodeURL(HttpServletResponseWrapper.java:76)
  javax.servlet.http.HttpServletResponseWrapper.encodeURL(HttpServletResponseWrapper.java:76)
  org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper.encodeURL(SaveContextOnUpdateOrErrorResponseWrapper.java:118)
  javax.servlet.http.HttpServletResponseWrapper.encodeURL(HttpServletResponseWrapper.java:76)
  org.apache.taglibs.standard.tag.common.core.UrlSupport.doEndTag(UrlSupport.java:117)
  org.apache.jsp.WEB_002dINF.jsp.tasks.context_jsp._jspx_meth_c_005furl_005f0(context_jsp.java:400)
  org.apache.jsp.WEB_002dINF.jsp.tasks.context_jsp._jspService(context_jsp.java:153)

The part of the JSP where the error occurs is: -

<c:url var="reviewUrl" value="review.html"><c:param name="referrer" value="${referrer}"/></c:url>

The problem seems to be when the javax.servlet.http.HttpServletResponseWrapper#encodeURL(String) method is invoked with a 'relative' URL path including a query string, and that query string index in the URL path is less than the number of characters in the web application's context path then the exception is thrown.

---

Affects: 4.2.4

Attachments:

• SPR13847.java (4.28 kB)

Issue Links:

• ResourceUrlProvider should only consider paths and not request parameters [SPR-13374] #17956 ResourceUrlProvider should only consider paths and not request parameters
• StringIndexOutOfBoundsException in ResourceUrlEncodingFilter [SPR-13018] #17609 StringIndexOutOfBoundsException in ResourceUrlEncodingFilter
• StringIndexOutOfBoundsException when rewriting links in CSS resources [SPR-16526] #21069 StringIndexOutOfBoundsException when rewriting links in CSS resources

[spring-projects-issues]

Dallas Hopewell commented

Attaching a unit test that exhibits the issue in case this helps.

[spring-projects-issues]

Brian Clozel commented

Hi Dallas,
First, thanks a lot for this report!
This is now fixed in the master and 4.2.x branches, meaning you'll be able to test this fix with the latest 4.2.5.BUILD-SNAPSHOT and 4.3.0.BUILD-SNAPSHOT versions very soon.

Don't hesitate to comment with more feedback / confirm that this fix is working for you.

[spring-projects-issues]

Ravish Bhagdev commented

I'm getting a similar issue on 4.3.13 as well:

2018-02-22T11:27:31.721017610Z java.lang.StringIndexOutOfBoundsException: String index out of range: -2
2018-02-22T11:27:31.721022567Z  at java.lang.String.substring(String.java:1967) ~[na:1.8.0_161]
2018-02-22T11:27:31.721027608Z  at org.springframework.web.servlet.resource.ResourceUrlProvider.getForRequestUrl(ResourceUrlProvider.java:187) ~[spring-webmvc-4.3.13.RELEASE.jar!/:4.3.13.RELEASE]
2018-02-22T11:27:31.721032196Z  at org.springframework.web.servlet.resource.ResourceTransformerSupport.resolveUrlPath(ResourceTransformerSupport.java:80) ~[spring-webmvc-4.3.13.RELEASE.jar!/:4.3.13.RELEASE]
2018-02-22T11:27:31.721037033Z  at org.springframework.web.servlet.resource.CssLinkResourceTransformer.transform(CssLinkResourceTransformer.java:105) ~[spring-webmvc-4.3.13.RELEASE.jar!/:4.3.13.RELEASE]
2018-02-22T11:27:31.721041105Z  at org.springframework.web.servlet.resource.DefaultResourceTransformerChain.transform(DefaultResourceTransformerChain.java:67) ~[spring-webmvc-4.3.13.RELEASE.jar!/:4.3.13.RELEASE]
2018-02-22T11:27:31.721045190Z  at org.springframework.web.servlet.resource.CachingResourceTransformer.transform(CachingResourceTransformer.java:76) ~[spring-webmvc-4.3.13.RELEASE.jar!/:4.3.13.RELEASE]
2018-02-22T11:27:31.721049282Z  at org.springframework.web.servlet.resource.DefaultResourceTransformerChain.transform(DefaultResourceTransformerChain.java:67) ~[spring-webmvc-4.3.13.RELEASE.jar!/:4.3.13.RELEASE]
2018-02-22T11:27:31.721053655Z  at org.springframework.web.servlet.resource.ResourceHttpRequestHandler.getResource(ResourceHttpRequestHandler.java:538) ~[spring-webmvc-4.3.13.RELEASE.jar!/:4.3.13.RELEASE]
2018-02-22T11:27:31.721058140Z  at org.springframework.web.servlet.resource.ResourceHttpRequestHandler.handleRequest(ResourceHttpRequestHandler.java:433) ~[spring-webmvc-4.3.13.RELEASE.jar!/:4.3.13.RELEASE]
2018-02-22T11:27:31.721063672Z  at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle(HttpRequestHandlerAdapter.java:51) ~[spring-webmvc-4.3.13.RELEASE.jar!/:4.3.13.RELEASE]
2018-02-22T11:27:31.721068193Z  at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967) ~[spring-webmvc-4.3.13.RELEASE.jar!/:4.3.13.RELEASE]

It seems like the relative paths to PNG files within my CSS are being processed incorrectly. Prefix and suffix generated in ResourceUrlProvider.java on line number 183 and 184 and then incorrect:
int prefixIndex = getLookupPathIndex(request);
int suffixIndex = getEndPathIndex(requestUrl);

Suffix index is often > prefix index. Causing above exception.

Here is my configuration:

VersionResourceResolver versionResourceResolver = new VersionResourceResolver()
                    .addVersionStrategy(new ContentVersionStrategy(), "/**");

            registry.addResourceHandler("/js/**", "/css/**", "/images/**", "/favicon.ico")
                    .addResourceLocations(
                            "classpath:static/js/", "static/js/",
                            "classpath:static/css/", "static/css/",
                            "classpath:static/images/", "static/images/"
                    )
                    .setCachePeriod(CACHE_PERIOD)
                    .resourceChain(true)
                    .addResolver(versionResourceResolver);

Works fine if I remove versionResourceResolver from above resource handler registry.

Can someone please 1) Confirm this is an issue in 4.3.13 and 2) Which version has the fix applied? It is mentioned that 4.3 RC1 has the fix so I am confused by this.

[spring-projects-issues]

Brian Clozel commented

Ravish Bhagdev Yes, it is supposed to be fixed in 4.3.13.
Could you create a new issue with a repro project we can take a look at? Your configuration is not enough, having a small, reproducible sample would help us figure things out.

Thanks!

[spring-projects-issues]

Ravish Bhagdev commented

Thanks for a prompt response @bclozel . But that is not going be easy for me.

The CSS I'm having problems with loads fine on all our 5 web services but one. It fails on the one which has a relatively longer context path.

The application is quite big and works on dockerised environment, brining in a lot of vendor scripts. So creating exact scenario in a small project will be some effort. I may get around to this when I have more time.

[spring-projects-issues]

Ravish Bhagdev commented

I've raised a separate issue for ResourceUrlProvider anyway here:
#21069