When using Actuator with HTTP tracing enabled, a request with a malformed Host header produces a 500 response

[wilkinsona]

This was raised by @domi55 on Gitter. Making a request like this:

$ telnet localhost 8082
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET /RaNdoM_JuNk HTTP/1.1
Connection: Keep-Alive
Host: "><script>alert(document.domain)</script>

Results in a 500 response:

HTTP/1.1 500 
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Apr 2018 10:50:55 GMT
Connection: close

TraceableHttpServletRequest attempts to create a URI from the request URL of the HttpServletRequest. This uses the Host header so an attempt is made to create a URI containing "><script>alert(document.domain)</script>. This fails with an exception and results in a 500 response.

RFC2616 says that "The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL". The Host header above doesn't meet that requirement so, arguably, the container should have rejected the request with a 400 response.

[wilkinsona]

A 500 response is received when using a Servlet-based stack with Jetty, Tomcat, or Undertow. Switching to WebFlux and using Netty results in a 400 response due to ReactorHttpHandlerAdapter in Spring Framework. WebFlux with Jetty, Tomcat, or Undertow results in a 500 response. I've raised SPR-16778 for the inconsistent behaviour there.