Actuator in Spring Boot 3.0 breaks RequestRejectedException logic

[alexey-halturin]

Summary

In Spring Security 6 RequestRejectedException behaviour was changed to return 400 (bad request) if URL contains text forbidden by HTTP firewall like ";", "//" etc. (spring-projects/spring-security#7568). However, after upgrading to Spring Boot 3.0.2, if the project contains spring-boot-starter-actuator as a dependency, the application responds with 200 instead of 400.

How to replicate

Create a new Spring Boot 3 application and implement the simple test:

@SpringBootTest
@AutoConfigureMockMvc
public class BadRequestTest {

    @Autowired
    private MockMvc mockMvc;

    @Test
    public void testBadRequest() throws Exception {
        mockMvc.perform(get("/orders;sds")).andExpect(status().isBadRequest());
    }

}

This test will succeed as expected.

Then add the dependency:

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-actuator</artifactId>
		</dependency>

The test will fail.

The reason

As I can see it happens because the requestRejectedHandler in the FilterChainProxy has been replaced with an ObservationMarkingRequestRejectedHandler which doesn't correctly handle the RequestRejectedException.

Workaround

As I workaround I excluded these autoconfigurations:
- org.springframework.boot.actuate.autoconfigure.observation.ObservationAutoConfiguration
- org.springframework.boot.actuate.autoconfigure.observation.web.servlet.WebMvcObservationAutoConfiguration

But I think that ObservationMarkingRequestRejectedHandler should handle such exception correctly by default and the response should be 400 as expected.

[wilkinsona]

Thanks for the report. This is a duplicate of spring-projects/spring-security#12548.

While we don't consider this to be security vulnerability, in the future please consider reporting security-related problems that have the potential to be a vulnerability by following the instructions in https://spring.io/security-policy.