[FIXED] Retrofit, OkHttp3 and Spring occasional error The request was rejected because the URL contained a potentially malicious String ";"

Issue

we are having a network error, and are not sure what could be causing it. We upload data from an Android app, and most of the time it works great.

Data are sent with Retrofit and OKHttp3 using an interface:

private static String BASE_URL = "https://backend.ourapp.com/api/";
    private static String cert1 = ...;
    private static String cert2 = ...;
    private static String cert3 = ...;

    public static Retrofit retrofit;

    static Gson gson = new GsonBuilder()
            .setLenient()
            .create();

    static CertificatePinner certificatePinner = new CertificatePinner.Builder()
            .add("backend.ourapp.com", cert1)
            .add("backend.ourapp.com", cert2)
            .add("backend.ourapp.com", cert3)
            .build();

    public static HttpLoggingInterceptor logging =
            new HttpLoggingInterceptor()
                    .setLevel(HttpLoggingInterceptor.Level.BODY);

public static OkHttpClient okHttpClient = new OkHttpClient.Builder()
            .readTimeout(180, TimeUnit.SECONDS)
            .connectTimeout(180, TimeUnit.SECONDS)
            .certificatePinner(certificatePinner)
            .addInterceptor(logging)
            .build();


    public static Retrofit getClient(String url) {
        if (retrofit == null) {
            retrofit = new Retrofit.Builder()
                    .baseUrl(url)
                    .addConverterFactory(GsonConverterFactory.create())
                    .client(okHttpClient)
                    .build();
        }
        return retrofit;
    }

    public static ApiInterface apiInterface() {
        retrofit = null;
        return ApiClient.getClient(BASE_URL).create(ApiInterface.class);
    }

But then all of a sudden, and randomly, we start having issues. Error from backend log is:

ERROR org.apache.juli.logging.DirectJDKLog [http-nio-7200-exec-1] Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"

We understand this is part of StrictHttpFirewall, and aren't looking to use .setAllowSemicolon(true);.

But we are confused why this is happening, because we aren't, as far as we know, appending anything to our URL. It's an error that also seems to pop up randomly, and then disappear randomly. It also isn't universal- a user will start having the problem while others are OK, and then they will be fine. It typically happens with mobile data networks and not wifi.

Suggestions?? Other things we should look at? Don't suppose it could somehow be certificate related? We have set the timeouts fairly liberally because our app is used on networks that are often slow, but if this particular error doesn't happen, upload is usually successful. We are using retrofit 2.4 and okhttp3 3.10.

Thanks

Solution

It appears that the problem is resolved by simply updating Retrofit to 2.9.0 and OkHttp3 to 4.9.1.

Answered By - user3398945