[Bug] Hippo4j anonymous login info leak

[RacerZ-fighting]

Search before asking

• I had searched in the issues and found no similar issues.

Environment

Mac

Hippo4j version

develop

What happened

When attempting to extend Hippo4j with matrix parameters such as ;jsessionid, it is necessary to manually disable the semicolon filtering in the security firewall (e.g., firewall.setAllowSemicolon(true)). However, this may result in unexpected behavior in cn.hippo4j.auth.filter.RewriteUserInfoApiFilter, potentially leading to system information leakage.

How to reproduce

Step1. Rewrite HttpFirewall class to support request URL with semicolon.

Step2. Disable the hippo4j.core.auth.enabled option

Step3. At this point, accessing hippo4j/v1/cs/auth/users/info/test should theoretically result in a redirection and return information related to the admin user.

However, when attempting to add ;jsessionid=xxx to the URL, such as hippo4j/v1/cs/auth/users;jsessionid=xxx/info/test, the information of the test user was exposed.

Debug logs

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct *