Extract rejectNonPrintableAsciiCharactersInFieldName

Closes gh-11234
This commit is contained in:
Rob Winch 2022-05-12 16:13:32 -05:00
parent ffaf5b4e61
commit 04ca7ef91b
2 changed files with 42 additions and 5 deletions

View File

@ -431,14 +431,20 @@ public class StrictHttpFirewall implements HttpFirewall {
if (!isNormalized(request)) { if (!isNormalized(request)) {
throw new RequestRejectedException("The request was rejected because the URL was not normalized."); throw new RequestRejectedException("The request was rejected because the URL was not normalized.");
} }
String requestUri = request.getRequestURI(); rejectNonPrintableAsciiCharactersInFieldName(request.getRequestURI(), "requestURI");
if (!containsOnlyPrintableAsciiCharacters(requestUri)) { rejectNonPrintableAsciiCharactersInFieldName(request.getServletPath(), "servletPath");
throw new RequestRejectedException( rejectNonPrintableAsciiCharactersInFieldName(request.getPathInfo(), "pathInfo");
"The requestURI was rejected because it can only contain printable ASCII characters."); rejectNonPrintableAsciiCharactersInFieldName(request.getContextPath(), "contextPath");
}
return new StrictFirewalledRequest(request); return new StrictFirewalledRequest(request);
} }
private void rejectNonPrintableAsciiCharactersInFieldName(String toCheck, String propertyName) {
if (!containsOnlyPrintableAsciiCharacters(toCheck)) {
throw new RequestRejectedException(String.format(
"The %s was rejected because it can only contain printable ASCII characters.", propertyName));
}
}
private void rejectForbiddenHttpMethod(HttpServletRequest request) { private void rejectForbiddenHttpMethod(HttpServletRequest request) {
if (this.allowedHttpMethods == ALLOW_ANY_HTTP_METHOD) { if (this.allowedHttpMethods == ALLOW_ANY_HTTP_METHOD) {
return; return;
@ -526,6 +532,9 @@ public class StrictHttpFirewall implements HttpFirewall {
} }
private static boolean containsOnlyPrintableAsciiCharacters(String uri) { private static boolean containsOnlyPrintableAsciiCharacters(String uri) {
if (uri == null) {
return true;
}
int length = uri.length(); int length = uri.length();
for (int i = 0; i < length; i++) { for (int i = 0; i < length; i++) {
char ch = uri.charAt(i); char ch = uri.charAt(i);

View File

@ -364,6 +364,34 @@ public class StrictHttpFirewallTests {
.isThrownBy(() -> this.firewall.getFirewalledRequest(this.request)); .isThrownBy(() -> this.firewall.getFirewalledRequest(this.request));
} }
@Test
public void getFirewalledRequestWhenContainsLineFeedThenException() {
this.request.setRequestURI("/something\n/");
assertThatExceptionOfType(RequestRejectedException.class)
.isThrownBy(() -> this.firewall.getFirewalledRequest(this.request));
}
@Test
public void getFirewalledRequestWhenServletPathContainsLineFeedThenException() {
this.request.setServletPath("/something\n/");
assertThatExceptionOfType(RequestRejectedException.class)
.isThrownBy(() -> this.firewall.getFirewalledRequest(this.request));
}
@Test
public void getFirewalledRequestWhenContainsCarriageReturnThenException() {
this.request.setRequestURI("/something\r/");
assertThatExceptionOfType(RequestRejectedException.class)
.isThrownBy(() -> this.firewall.getFirewalledRequest(this.request));
}
@Test
public void getFirewalledRequestWhenServletPathContainsCarriageReturnThenException() {
this.request.setServletPath("/something\r/");
assertThatExceptionOfType(RequestRejectedException.class)
.isThrownBy(() -> this.firewall.getFirewalledRequest(this.request));
}
/** /**
* On WebSphere 8.5 a URL like /context-root/a/b;%2f1/c can bypass a rule on /a/b/c * On WebSphere 8.5 a URL like /context-root/a/b;%2f1/c can bypass a rule on /a/b/c
* because the pathInfo is /a/b;/1/c which ends up being /a/b/1/c while Spring MVC * because the pathInfo is /a/b;/1/c which ends up being /a/b/1/c while Spring MVC