Skip to content

Restrict shallow ETag filter routes#482

Merged
JuliusHenke merged 2 commits into
masterfrom
codex/propose-fix-for-etag-vulnerability
May 10, 2026
Merged

Restrict shallow ETag filter routes#482
JuliusHenke merged 2 commits into
masterfrom
codex/propose-fix-for-etag-vulnerability

Conversation

@JuliusHenke
Copy link
Copy Markdown
Member

@JuliusHenke JuliusHenke commented May 10, 2026

Motivation

  • The global ShallowEtagHeaderFilter was being registered as an unrestricted bean which causes Spring to buffer full response bodies for ETag generation and can amplify memory/CPU usage for large public endpoints such as /relay/location/day/{day}.
  • The change aims to remove the global response-buffering behavior for unbounded endpoints while preserving ETag caching for small, bounded routes.

Description

  • Replace the globally auto-registered ShallowEtagHeaderFilter bean with a FilterRegistrationBean<ShallowEtagHeaderFilter> so the filter is only applied to explicitly listed small/bounded routes in backend/src/main/kotlin/org/tormap/config/AppConfig.kt.
  • Limit the filter URL patterns to safe endpoints (/relay/location/days, /relay/details/relay/*, /relay/details/family/*) to avoid buffering large day-by-day relay responses.
  • Update the Spring context test in backend/src/test/kotlin/org/tormap/config/SecurityConfigTest.kt to assert the FilterRegistrationBean is registered with the expected URL patterns.

Testing

  • Attempted to run the SecurityConfigTest with Gradle (./gradlew --no-daemon test --tests org.tormap.config.SecurityConfigTest), but the build failed in this environment because the Kotlin Gradle plugin could not be resolved from the plugin portal. (Test not executed.)
  • Attempted the same test with JAVA_HOME set to Java 17 to work around a Java parsing issue, but the run still failed due to inability to resolve the org.jetbrains.kotlin.jvm:1.9.25 plugin from the Gradle plugin repository in this environment. (Test not executed.)
  • Ran repository checks (git diff --check) which reported no whitespace/diff errors on the modified files.

Codex Task

Copilot AI review requested due to automatic review settings May 10, 2026 15:16
@JuliusHenke
Copy link
Copy Markdown
Member Author

JuliusHenke commented May 10, 2026

@copilot add tests that check actual existence of etag header for all desired endpoints and it being absent for the undesired endpoint.

Copilot AI reviewed May 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR narrows the scope of Spring’s ShallowEtagHeaderFilter so it no longer applies globally (and thus no longer forces response-body buffering) on large/unbounded endpoints like /relay/location/day/{day}, while keeping ETag support for selected smaller routes.

Changes:

  • Replace the globally-registered ShallowEtagHeaderFilter bean with a FilterRegistrationBean limited to specific URL patterns.
  • Add/adjust a Spring context test to assert the filter registration URL patterns.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
backend/src/main/kotlin/org/tormap/config/AppConfig.kt Registers ShallowEtagHeaderFilter via FilterRegistrationBean and restricts it to a small set of URL patterns.
backend/src/test/kotlin/org/tormap/config/SecurityConfigTest.kt Adds assertions that the filter registration bean exists and is configured with the expected URL patterns.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread backend/src/main/kotlin/org/tormap/config/AppConfig.kt
Copy link
Copy Markdown
Contributor

Copilot AI commented May 10, 2026
edited
Loading

@copilot add tests that check actual existence of etag header for all desired endpoints and it being absent for the undesired endpoint.

Implemented in commit 2b43144. Added MockMvc assertions in HttpCachingConfigTest that verify ETag is present for /relay/location/days, /relay/details/relay/{id}, and /relay/details/family/{id}, and absent for /relay/location/day/{day}.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • 113.114.104.172.in-addr.arpa
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -Dorg.gradle.internal.worker.tmpdir=/home/REDACTED/work/tormap/tormap/backend/build/tmp/test/work @/home/REDACTED/.gradle/.tmp/gradle-worker-classpath12347294411810973581txt -Xmx512m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant -ea worker.org.gradle.process.internal.worker.GradleWorkerMain &#39;Gradle Test Executor 1&#39; (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

@JuliusHenke JuliusHenke merged commit 82a53cd into master May 10, 2026
6 checks passed
@JuliusHenke JuliusHenke deleted the codex/propose-fix-for-etag-vulnerability branch May 10, 2026 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JuliusHenke