From 3a28266d0bf08ace62f9f6db2a5f829eaec12d02 Mon Sep 17 00:00:00 2001
From: d036670 <markus.strehle@sap.com>
Date: Thu, 8 Dec 2022 15:44:10 +0100
Subject: [PATCH] No trace method dispatch

---
 uaa/src/main/webapp/WEB-INF/web.xml           |  2 +-
 .../integration/feature/ErrorRoutingIT.java   | 52 +++++++++++++++----
 2 files changed, 43 insertions(+), 11 deletions(-)

diff --git a/uaa/src/main/webapp/WEB-INF/web.xml b/uaa/src/main/webapp/WEB-INF/web.xml
index 8b0ff4261dd..8f0724dc22b 100755
--- a/uaa/src/main/webapp/WEB-INF/web.xml
+++ b/uaa/src/main/webapp/WEB-INF/web.xml
@@ -103,7 +103,7 @@
         </init-param>
         <init-param>
             <param-name>dispatchTraceRequest</param-name>
-            <param-value>true</param-value>
+            <param-value>false</param-value>
         </init-param>
         <load-on-startup>1</load-on-startup>
     </servlet>
diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/ErrorRoutingIT.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/ErrorRoutingIT.java
index 9ddfc4542aa..9c0776f631e 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/ErrorRoutingIT.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/ErrorRoutingIT.java
@@ -1,5 +1,6 @@
 package org.cloudfoundry.identity.uaa.integration.feature;
 
+import org.apache.commons.io.IOUtils;
 import org.junit.*;
 import org.junit.runner.RunWith;
 import org.openqa.selenium.By;
@@ -9,7 +10,9 @@
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 
+import java.io.BufferedReader;
 import java.io.IOException;
+import java.io.InputStreamReader;
 import java.net.HttpURLConnection;
 import java.net.URL;
 
@@ -37,14 +40,20 @@ public void testMethodNotAllowedRoutedToErrorPage() {
 
     @Test
     public void testStatusCodeToErrorPage() throws IOException {
-        CallErrorPageAndCheckHttpStatusCode("/error", 200);
-        CallErrorPageAndCheckHttpStatusCode("/error404", 200);
-        CallErrorPageAndCheckHttpStatusCode("/error429", 200);
-        CallErrorPageAndCheckHttpStatusCode("/error500", 200);
-        CallErrorPageAndCheckHttpStatusCode("/errorAny", 200);
-        CallErrorPageAndCheckHttpStatusCode("/rejected", 200);
-        CallErrorPageAndCheckHttpStatusCode("/saml_error", 200);
+        CallErrorPageAndCheckHttpStatusCode("/error", "GET", 200);
+        CallErrorPageAndCheckHttpStatusCode("/error404", "GET", 200);
+        CallErrorPageAndCheckHttpStatusCode("/error429", "GET", 200);
+        CallErrorPageAndCheckHttpStatusCode("/error500", "GET", 200);
+        CallErrorPageAndCheckHttpStatusCode("/errorAny", "GET", 200);
+        CallErrorPageAndCheckHttpStatusCode("/rejected", "GET", 200);
+        CallErrorPageAndCheckHttpStatusCode("/saml_error", "GET", 200);
+        CallErrorPageAndCheckHttpStatusCode("/error", "GET", 200);
+    }
 
+    @Test
+    public void testResponseToErrorPage() throws IOException {
+        String body = CallErrorPageAndCheckHttpStatusCode("/info", "TRACE", 405);
+        Assert.assertTrue("Expected no response HTML body, but received: " + body, body.indexOf("<html") == -1);
     }
 
     @Test
@@ -54,14 +63,37 @@ public void testRequestRejectedExceptionErrorPage() throws IOException {
 
         Assert.assertTrue("Check if on the error page", webDriver.findElement(By.tagName("h2")).getText().contains("The request was rejected because it contained a potentially malicious character."));
 
-        CallErrorPageAndCheckHttpStatusCode(rejectedEndpoint, 400);
+        CallErrorPageAndCheckHttpStatusCode(rejectedEndpoint, "GET", 400);
     }
 
-    private void CallErrorPageAndCheckHttpStatusCode(String errorPath, int codeExpected) throws IOException {
+    private String CallErrorPageAndCheckHttpStatusCode(String errorPath, String method, int codeExpected) throws IOException {
         HttpURLConnection cn = (HttpURLConnection)new URL(baseUrl + errorPath).openConnection();
-        cn.setRequestMethod("GET");
+        cn.setRequestMethod(method);
         // connection initiate
         cn.connect();
         Assert.assertEquals("Check status code from " + errorPath + " is " + codeExpected, cn.getResponseCode(), codeExpected);
+        return getResponseBody(cn);
+    }
+
+    private String getResponseBody(HttpURLConnection connection) throws IOException {
+        BufferedReader reader;
+        if (200 <= connection.getResponseCode() && connection.getResponseCode() <= 299) {
+            reader = new BufferedReader(new InputStreamReader((connection.getInputStream())));
+        } else {
+            reader = new BufferedReader(new InputStreamReader((connection.getErrorStream())));
+        }
+
+        StringBuffer sb = new StringBuffer();
+        int BUFFER=4096;
+        char[] buffer = new char[4096];
+        int charsRead = 0;
+        try {
+            while ( (charsRead  = reader.read(buffer, 0, BUFFER)) != -1) {
+                sb.append(buffer, 0, charsRead);
+            }
+        } catch (IOException ie) {
+            IOUtils.close(connection);
+        }
+        return sb.toString();
     }
 }