From 3077f0e6418b4d8c7be1efd130a8d3ca48f5c749 Mon Sep 17 00:00:00 2001
From: Aurelien Poscia <aurelien.poscia@sonarsource.com>
Date: Thu, 30 Mar 2023 15:27:00 +0200
Subject: [PATCH] SONAR-18393 Return 400 Bad Request in case request contains
 unsupported char

---
 .../sonar/server/platform/web/SecurityServletFilter.java | 5 +++++
 .../server/platform/web/SecurityServletFilterTest.java   | 9 +++++++++
 2 files changed, 14 insertions(+)

diff --git a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
index 83522dc7c14..cf90d58805c 100644
--- a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
+++ b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
@@ -64,6 +64,11 @@ public class SecurityServletFilter implements Filter {
    * Adds security HTTP headers in the response. The headers are added using {@code setHeader()}, which overwrites existing headers.
    */
   public static void addSecurityHeaders(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
+    if (httpRequest.getRequestURI() == null) {
+      httpResponse.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+      return;
+    }
+
     // Clickjacking protection
     // See https://www.owasp.org/index.php/Clickjacking_Protection_for_Java_EE
     // The protection is disabled on purpose for integration in external systems like Github (/integration/github).
diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
index 4e3f7311d2a..bc4d8ed5f97 100644
--- a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
+++ b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
@@ -40,6 +40,15 @@ public class SecurityServletFilterTest {
   private HttpServletResponse response = mock(HttpServletResponse.class);
   private FilterChain chain = mock(FilterChain.class);
 
+  @Test
+  public void ifRequestUriIsNull_returnBadRequest() throws ServletException, IOException {
+    HttpServletRequest request = newRequest("GET", "/");
+    when(request.getRequestURI()).thenReturn(null);
+
+    underTest.doFilter(request, response, chain);
+    verify(response).setStatus(HttpServletResponse.SC_BAD_REQUEST);
+  }
+
   @Test
   public void allow_GET_method() throws IOException, ServletException {
     assertThatMethodIsAllowed("GET");
-- 
2.39.5