Fix HTTP Parameter Pollution: Spring Boot REST API Code Review
A Spring Boot controller binding ?role=user&role=admin to a plain String will quietly take the last value, or the first, depending on the servlet container. That non-determinism is the attack surface. Proxies strip, reorder, or concatenate duplicates differently from Tomcat, so an attacker who knows your stack can craft a request where your WAF sees role=user and your controller sees role=admin. No injection required, just a second query parameter and a server that does not reject it.
How HTTP Parameter Pollution Breaks Spring Boot Endpoints
The core problem is that HTTP has no spec-level rule about duplicate parameter names. RFC 3986 allows it. What happens next is implementation-defined, and every layer in your stack makes its own choice.
Tomcat's request.getParameter("role") returns the first occurrence. request.getParameterValues("role") returns all of them. Spring MVC's @RequestParam String role uses getParameter, so it takes the first. A List<String> binding takes all of them. A raw MultiValueMap<String,String> keeps everything. If your WAF or Nginx proxy is configured to forward only the last value, you now have a mismatch an attacker can exploit.






