in a console send curl request: curl localhost:3000//
or use httpie: http :3000//
terminal should hangs and fails after timeout http: error: Request timed out (30s).
I didn't investigate if connections will be opened while all such requests will waiting for theirs timeouts. If so, attackers can easily DDoS these kind of spring 5 apps by sending 65k requests for 30 seconds
Turns out java.net.URI does not mind multiple slashes after all and I misread the spec where "segment" is defined as any number of chars. So http://localhost:3000// is okay but it fails on Netty because we parse the path ("//") independently as a URI and it's rejected because it looks like invalid schema. By contrast http://localhost:3000/foo// works fine.
In addition Reactor Netty does not handle error signals as 500 errors well and hangs instead. I've created a ticket for that but meanwhile also improved the way the URI is parsed so we don't run into this issue and also tightened UriSyntaxException handling so it would be treated as a 400 error if it did occur.