Restrict HTTP methods on Reactive HiddenHttpMethodFilter

bclozel · bclozel · commit dac97f1b7dac · 2018-06-11T19:17:00.000+02:00
This commit restricts the allowed HTTP methods on HiddenHttpMethodFilter (Reactive variant) to the following: PUT, DELETE, PATCH. This filter is meant to be used to simulate those methods from HTML forms sent by browsers, so no other methods are allowed. Issue: SPR-16836 (Cherry-picked from a5cd01a)
diff --git a/spring-web/src/main/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilter.java b/spring-web/src/main/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
 
 package org.springframework.web.filter.reactive;
 
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
 import java.util.Locale;
 
 import reactor.core.publisher.Mono;
@@ -45,6 +48,10 @@
  */
 public class HiddenHttpMethodFilter implements WebFilter {
 
+	private static final List<HttpMethod> ALLOWED_METHODS =
+			Collections.unmodifiableList(Arrays.asList(HttpMethod.PUT,
+					HttpMethod.DELETE, HttpMethod.PATCH));
+
 	/** Default name of the form parameter with the HTTP method to use */
 	public static final String DEFAULT_METHOD_PARAMETER_NAME = "_method";
 
@@ -87,7 +94,12 @@ public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
 	private ServerWebExchange mapExchange(ServerWebExchange exchange, String methodParamValue) {
 		HttpMethod httpMethod = HttpMethod.resolve(methodParamValue.toUpperCase(Locale.ENGLISH));
 		Assert.notNull(httpMethod, () -> "HttpMethod '" + methodParamValue + "' not supported");
-		return exchange.mutate().request(builder -> builder.method(httpMethod)).build();
+		if (ALLOWED_METHODS.contains(httpMethod)) {
+			return exchange.mutate().request(builder -> builder.method(httpMethod)).build();
+		}
+		else {
+			return exchange;
+		}
 	}
 
 }
diff --git a/spring-web/src/test/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilterTests.java b/spring-web/src/test/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilterTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -52,6 +52,12 @@ public void filterWithParameter() {
 		assertEquals(HttpMethod.DELETE, this.filterChain.getHttpMethod());
 	}
 
+	@Test
+	public void filterWithParameterMethodNotAllowed() {
+		postForm("_method=TRACE").block(Duration.ZERO);
+		assertEquals(HttpMethod.POST, this.filterChain.getHttpMethod());
+	}
+
 	@Test
 	public void filterWithNoParameter() {
 		postForm("").block(Duration.ZERO);
