Apache
/
archiva-redback-core
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixing X-Forwarded-Host header handling

This commit is contained in:
Martin Stockhammer 2017-05-10 22:59:51 +02:00
parent 396694765f
commit 4e4e3428c4
2 changed files with 175 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java
View File

@ -31,6 +31,7 @@ import org.apache.archiva.redback.integration.filter.authentication.basic.HttpBa
import org.apache.archiva.redback.policy.AccountLockedException;
import org.apache.archiva.redback.policy.MustChangePasswordException;
import org.apache.archiva.redback.users.User;
import org.apache.commons.lang.StringUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.slf4j.Logger;
@ -535,17 +536,24 @@ public class RequestValidationInterceptor
{
xforwardedProto = requestUrl.getProtocol();
}
if ( xforwarded != null )
if ( xforwarded != null && !StringUtils.isEmpty( xforwarded ) )
{
// X-Forwarded-Host header may contain multiple hosts if there is
// more than one proxy between the client and the server
String[] forwardedList = xforwarded.split( "\\s*,\\s*" );
for ( String hostname : forwardedList )
{
try
{
urls.add( new URL( xforwardedProto + "://" + xforwarded ) );
urls.add( new URL( xforwardedProto + "://" + hostname ) );
}
catch ( MalformedURLException ex )
{
log.warn( "X-Forwarded-Host Header is malformed: {}", ex.getMessage() );
}
}
}
return urls;
}
}

91
redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/RequestValidationInterceptorTest.java
View File

@ -38,17 +38,17 @@ import java.util.List;
/**
* Created by Martin Stockhammer on 21.01.17.
*
* <p>
* Unit Test for RequestValidationInterceptor. The unit tests are all without token validation.
*
*/
@RunWith( JUnit4.class )
public class RequestValidationInterceptorTest extends TestCase {
public class RequestValidationInterceptorTest extends TestCase
{
@Test
public void validateRequestWithoutHeader() throws UserConfigurationException, IOException {
public void validateRequestWithoutHeader() throws UserConfigurationException, IOException
{
TokenManager tm = new TokenManager();
MockUserConfiguration cfg = new MockUserConfiguration();
cfg.addValue( UserConfigurationKeys.REST_CSRF_DISABLE_TOKEN_VALIDATION, "true" );
@ -62,7 +62,8 @@ public class RequestValidationInterceptorTest extends TestCase {
}
@Test
public void validateRequestWithOrigin() throws UserConfigurationException, IOException {
public void validateRequestWithOrigin() throws UserConfigurationException, IOException
{
TokenManager tm = new TokenManager();
MockUserConfiguration cfg = new MockUserConfiguration();
cfg.addValue( UserConfigurationKeys.REST_CSRF_DISABLE_TOKEN_VALIDATION, "true" );
@ -78,7 +79,8 @@ public class RequestValidationInterceptorTest extends TestCase {
}
@Test
public void validateRequestWithBadOrigin() throws UserConfigurationException, IOException {
public void validateRequestWithBadOrigin() throws UserConfigurationException, IOException
{
TokenManager tm = new TokenManager();
MockUserConfiguration cfg = new MockUserConfiguration();
cfg.addValue( UserConfigurationKeys.REST_CSRF_DISABLE_TOKEN_VALIDATION, "true" );
@ -94,7 +96,8 @@ public class RequestValidationInterceptorTest extends TestCase {
}
@Test
public void validateRequestWithReferer() throws UserConfigurationException, IOException {
public void validateRequestWithReferer() throws UserConfigurationException, IOException
{
TokenManager tm = new TokenManager();
MockUserConfiguration cfg = new MockUserConfiguration();
cfg.addValue( UserConfigurationKeys.REST_CSRF_DISABLE_TOKEN_VALIDATION, "true" );
@ -110,7 +113,8 @@ public class RequestValidationInterceptorTest extends TestCase {
}
@Test
public void validateRequestWithBadReferer() throws UserConfigurationException, IOException {
public void validateRequestWithBadReferer() throws UserConfigurationException, IOException
{
TokenManager tm = new TokenManager();
MockUserConfiguration cfg = new MockUserConfiguration();
cfg.addValue( UserConfigurationKeys.REST_CSRF_DISABLE_TOKEN_VALIDATION, "true" );
@ -126,7 +130,8 @@ public class RequestValidationInterceptorTest extends TestCase {
}
@Test
public void validateRequestWithOriginAndReferer() throws UserConfigurationException, IOException {
public void validateRequestWithOriginAndReferer() throws UserConfigurationException, IOException
{
TokenManager tm = new TokenManager();
MockUserConfiguration cfg = new MockUserConfiguration();
cfg.addValue( UserConfigurationKeys.REST_CSRF_DISABLE_TOKEN_VALIDATION, "true" );
@ -142,9 +147,67 @@ public class RequestValidationInterceptorTest extends TestCase {
assertFalse( ctx.isAborted() );
}
@Test
public void validateRequestWithOriginAndRefererAndXForwarded() throws UserConfigurationException, IOException
{
TokenManager tm = new TokenManager();
MockUserConfiguration cfg = new MockUserConfiguration();
cfg.addValue( UserConfigurationKeys.REST_CSRF_DISABLE_TOKEN_VALIDATION, "true" );
RequestValidationInterceptor interceptor = new RequestValidationInterceptor( cfg );
MockHttpServletRequest request = new MockHttpServletRequest( "GET", "/api/v1/userService" );
request.setServerName( "xxx.archiva.org" );
request.addHeader( "Origin", "http://test.archiva.org/myservlet" );
request.addHeader( "Referer", "http://test.archiva.org/myservlet2" );
request.addHeader( "X-Forwarded-Host", "test.archiva.org" );
interceptor.setHttpRequest( request );
interceptor.init();
MockContainerRequestContext ctx = new MockContainerRequestContext();
interceptor.filter( ctx );
assertFalse( ctx.isAborted() );
}
@Test
public void validateRequestWithOriginAndStaticUrl() throws UserConfigurationException, IOException {
public void validateRequestWithOriginAndRefererAndWrongXForwarded() throws UserConfigurationException, IOException
{
TokenManager tm = new TokenManager();
MockUserConfiguration cfg = new MockUserConfiguration();
cfg.addValue( UserConfigurationKeys.REST_CSRF_DISABLE_TOKEN_VALIDATION, "true" );
RequestValidationInterceptor interceptor = new RequestValidationInterceptor( cfg );
MockHttpServletRequest request = new MockHttpServletRequest( "GET", "/api/v1/userService" );
request.setServerName( "xxx.archiva.org" );
request.addHeader( "Origin", "http://test.archiva.org/myservlet" );
request.addHeader( "Referer", "http://test.archiva.org/myservlet2" );
request.addHeader( "X-Forwarded-Host", "test2.archiva.org" );
interceptor.setHttpRequest( request );
interceptor.init();
MockContainerRequestContext ctx = new MockContainerRequestContext();
interceptor.filter( ctx );
assertTrue( ctx.isAborted() );
}
@Test
public void validateRequestWithOriginAndRefererAndXForwardedMultiple() throws UserConfigurationException, IOException
{
TokenManager tm = new TokenManager();
MockUserConfiguration cfg = new MockUserConfiguration();
cfg.addValue( UserConfigurationKeys.REST_CSRF_DISABLE_TOKEN_VALIDATION, "true" );
RequestValidationInterceptor interceptor = new RequestValidationInterceptor( cfg );
MockHttpServletRequest request = new MockHttpServletRequest( "GET", "/api/v1/userService" );
request.setServerName( "xxx.archiva.org" );
request.addHeader( "Origin", "http://test.archiva.org/myservlet" );
request.addHeader( "Referer", "http://test.archiva.org/myservlet2" );
request.addHeader( "X-Forwarded-Host", "my.proxy.org, test.archiva.org:80" );
interceptor.setHttpRequest( request );
interceptor.init();
MockContainerRequestContext ctx = new MockContainerRequestContext();
interceptor.filter( ctx );
assertFalse( ctx.isAborted() );
}
@Test
public void validateRequestWithOriginAndStaticUrl() throws UserConfigurationException, IOException
{
MockUserConfiguration cfg = new MockUserConfiguration();
List<String> urls = new ArrayList<String>();
urls.add( "http://test.archiva.org" );
@ -163,7 +226,8 @@ public class RequestValidationInterceptorTest extends TestCase {
}
@Test
public void validateRequestWithBadOriginAndStaticUrl() throws UserConfigurationException, IOException {
public void validateRequestWithBadOriginAndStaticUrl() throws UserConfigurationException, IOException
{
MockUserConfiguration cfg = new MockUserConfiguration();
List<String> urls = new ArrayList<String>();
urls.add( "http://mytest.archiva.org" );
@ -183,7 +247,8 @@ public class RequestValidationInterceptorTest extends TestCase {
@Test
public void validateRequestWithOriginListAndStaticUrl() throws UserConfigurationException, IOException {
public void validateRequestWithOriginListAndStaticUrl() throws UserConfigurationException, IOException
{
MockUserConfiguration cfg = new MockUserConfiguration();
List<String> urls = new ArrayList<String>();
urls.add( "http://mytest.archiva.org" );