We have got path based vulnerability issues in Qualys report. I have gone through stackoverflow questions like this one and configured useDefaultSuffixPattern as false as shown below.
I am still able to load the page with /about.anything even though in controller I have given as @RequestMapping(value = "/about")
Is there any other configuration we need to update to stop this from happening?
<bean
class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
<property name="order" value="0" />
<!-- Set whether to register paths using the default suffix pattern as
well: i.e. whether "/users" should be registered as "/users.*" and "/users/"
too. Default is "true". Turn this convention off if you intend to interpret
your @RequestMapping paths strictly. Note that paths which include a ".xxx"
suffix or end with "/" already will not be transformed using the default
suffix pattern in any case. -->
<property name="useDefaultSuffixPattern" value="false" />
<property name="pathMatcher" ref="pathMatcher" />
</bean>
We are using hybris 1811 version
This might be happening because of an inherent bug in Spring where it ignores everything after the dot(.) in the URL.
To resolve this you must create the path variable pattern for GET call in your controller more rigid.