SpringBoot @Valid not working for GET request params bound to an object in boot 2.3.X

When calling http://localhost:8080/test-app/test?notRequired=xyz I am no longer getting a 400 bad request for the below after upgrading to boot 2.3.X. Please note, I have spring-boot-starter-validation included in my pom.

import javax.validation.constraints.NotNull;

public class RequestParamsTest {

    @NotNull
    private String required;

    private String notRequired;

   // Getters, setters, hashcode, equals, toString

}

import org.springframework.web.bind.annotation.*;
import javax.validation.Valid;

@RestController
public class TestController {

    @GetMapping("test")
    public String test(@Valid RequestParamsTest request) {
        return request.toString();
    }

}

Comment From: wilkinsona

Thanks for the report but I cannot reproduce the behaviour that you have described. With 2.3.10 I get the expected 400 response:

$ http 'http://localhost:8080/test?notRequired=xyz'
HTTP/1.1 400 
Connection: close
Content-Type: application/json
Date: Fri, 30 Apr 2021 16:52:02 GMT
Transfer-Encoding: chunked

{
    "error": "Bad Request",
    "message": "",
    "path": "/test",
    "status": 400,
    "timestamp": "2021-04-30T16:52:02.651+00:00"
}

A warning is also logged:

2021-04-30 17:51:48.682  WARN 41978 --- [nio-8080-exec-2] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.springframework.validation.BindException: org.springframework.validation.BeanPropertyBindingResult: 1 errors
Field error in object 'requestParamsTest' on field 'required': rejected value [null]; codes [NotNull.requestParamsTest.required,NotNull.required,NotNull.java.lang.String,NotNull]; arguments [org.springframework.context.support.DefaultMessageSourceResolvable: codes [requestParamsTest.required,required]; arguments []; default message [required]]; default message [must not be null]]

If you would like us to spend some more time investigating, please spend some time providing a complete yet minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it up and attaching it to this issue.

Comment From: hesselapplications

Ah, I found the discrepancy. I was using the following in an attempt to mitigate CVE-2020-10693:

<properties>
  <hibernate-validator.version>7.0.1.Final</hibernate-validator.version>
</properties>

7.0.1.Final broke the validation functionality. It works with 6.2.0.Final however. Thanks for the help!