From 06a02ed4bb8ce12ca1cd48b473cae6000f62b474 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Mon, 11 May 2020 17:20:27 -0500 Subject: [PATCH] Fix non-standard HTTP method for CsrfWebFilter Closes gh-8452 --- .../security/web/server/csrf/CsrfWebFilter.java | 5 +++-- .../web/server/csrf/CsrfWebFilterTests.java | 16 +++++++++++++++- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java b/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java index 33d06d39da..64dcc1b6af 100644 --- a/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java +++ b/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -60,6 +60,7 @@ import static java.lang.Boolean.TRUE; *

* * @author Rob Winch + * @author Parikshit Dutta * @since 5.0 */ public class CsrfWebFilter implements WebFilter { @@ -187,7 +188,7 @@ public class CsrfWebFilter implements WebFilter { @Override public Mono matches(ServerWebExchange exchange) { return Mono.just(exchange.getRequest()) - .map(r -> r.getMethod()) + .flatMap(r -> Mono.justOrEmpty(r.getMethod())) .filter(m -> ALLOWED_METHODS.contains(m)) .flatMap(m -> MatchResult.notMatch()) .switchIfEmpty(MatchResult.match()); diff --git a/web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java b/web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java index cd3df76693..94d0334e18 100644 --- a/web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,11 +20,14 @@ import org.junit.Test; import org.junit.runner.RunWith; import org.mockito.Mock; import org.mockito.junit.MockitoJUnitRunner; + +import org.springframework.http.HttpMethod; import org.springframework.http.HttpStatus; import org.springframework.http.MediaType; import org.springframework.mock.http.server.reactive.MockServerHttpRequest; import org.springframework.mock.web.server.MockServerWebExchange; import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher; +import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher.MatchResult; import org.springframework.test.web.reactive.server.WebTestClient; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; @@ -45,6 +48,7 @@ import static org.springframework.web.reactive.function.BodyInserters.fromMultip /** * @author Rob Winch + * @author Parikshit Dutta * @since 5.0 */ @RunWith(MockitoJUnitRunner.class) @@ -183,6 +187,16 @@ public class CsrfWebFilterTests { chainResult.assertWasSubscribed(); } + @Test + // gh-8452 + public void matchesRequireCsrfProtectionWhenNonStandardHTTPMethodIsUsed() { + HttpMethod customHttpMethod = HttpMethod.resolve("non-standard-http-method"); + MockServerWebExchange nonStandardHttpRequest = from(MockServerHttpRequest.method(customHttpMethod, "/")); + + ServerWebExchangeMatcher serverWebExchangeMatcher = CsrfWebFilter.DEFAULT_CSRF_MATCHER; + assertThat(serverWebExchangeMatcher.matches(nonStandardHttpRequest).map(MatchResult::isMatch).block()).isTrue(); + } + @Test public void doFilterWhenSkipExchangeInvokedThenSkips() { PublisherProbe chainResult = PublisherProbe.empty();