Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-2831: Regex/AntPath RequestMatcher handle invalid HTTP method

This commit is contained in:
Rob Winch 2015-02-04 11:57:46 -06:00
parent 31234ecef9
commit 07c54e5d0e
4 changed files with 54 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java
View File

@ -122,7 +122,7 @@ public final class AntPathRequestMatcher implements RequestMatcher {
* {@code servletPath} + {@code pathInfo} of the request. * {@code servletPath} + {@code pathInfo} of the request.
*/ */
public boolean matches(HttpServletRequest request) { public boolean matches(HttpServletRequest request) {
if (httpMethod != null && StringUtils.hasText(request.getMethod()) && httpMethod != HttpMethod.valueOf(request.getMethod())) { if (httpMethod != null && StringUtils.hasText(request.getMethod()) && httpMethod != valueOf(request.getMethod())) {
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
logger.debug("Request '" + request.getMethod() + " " + getRequestPath(request) + "'" logger.debug("Request '" + request.getMethod() + " " + getRequestPath(request) + "'"
+ " doesn't match '" + httpMethod + " " + pattern); + " doesn't match '" + httpMethod + " " + pattern);
@ -201,6 +201,21 @@ public final class AntPathRequestMatcher implements RequestMatcher {
return sb.toString(); return sb.toString();
} }
/**
* Provides a save way of obtaining the HttpMethod from a String. If the method is invalid, returns null.
*
* @param method the HTTP method to use.
*
* @return the HttpMethod or null if method is invalid.
*/
private static HttpMethod valueOf(String method) {
try {
return HttpMethod.valueOf(method);
} catch(IllegalArgumentException e) {}
return null;
}
private static interface Matcher { private static interface Matcher {
boolean matches(String path); boolean matches(String path);
} }

18
web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java
View File

@ -75,7 +75,7 @@ public final class RegexRequestMatcher implements RequestMatcher {
* @return true if the pattern matches the URL, false otherwise. * @return true if the pattern matches the URL, false otherwise.
*/ */
public boolean matches(HttpServletRequest request) { public boolean matches(HttpServletRequest request) {
if (httpMethod != null && request.getMethod() != null && httpMethod != HttpMethod.valueOf(request.getMethod())) { if (httpMethod != null && request.getMethod() != null && httpMethod != valueOf(request.getMethod())) {
return false; return false;
} }
@ -102,4 +102,20 @@ public final class RegexRequestMatcher implements RequestMatcher {
return pattern.matcher(url).matches(); return pattern.matcher(url).matches();
} }
/**
* Provides a save way of obtaining the HttpMethod from a String. If the method is invalid, returns null.
*
* @param method the HTTP method to use.
*
* @return the HttpMethod or null if method is invalid.
*/
private static HttpMethod valueOf(String method) {
try {
return HttpMethod.valueOf(method);
} catch(IllegalArgumentException e) {}
return null;
}
} }

10
web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java
View File

@ -151,6 +151,16 @@ public class AntPathRequestMatcherTests {
new AntPathRequestMatcher("/blah", "GET").toString(); new AntPathRequestMatcher("/blah", "GET").toString();
} }
// SEC-2831
@Test
public void matchesWithInvalidMethod() {
AntPathRequestMatcher matcher = new AntPathRequestMatcher("/blah", "GET");
MockHttpServletRequest request = createRequest("/blah");
request.setMethod("INVALID");
assertThat(matcher.matches(request)).isFalse();
}
private HttpServletRequest createRequestWithNullMethod(String path) { private HttpServletRequest createRequestWithNullMethod(String path) {
when(request.getQueryString()).thenReturn("doesntMatter"); when(request.getQueryString()).thenReturn("doesntMatter");
when(request.getServletPath()).thenReturn(path); when(request.getServletPath()).thenReturn(path);

11
web/src/test/java/org/springframework/security/web/util/matcher/RegexRequestMatcherTests.java
View File

@ -12,6 +12,7 @@
*/ */
package org.springframework.security.web.util.matcher; package org.springframework.security.web.util.matcher;
import static org.fest.assertions.Assertions.assertThat;
import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
@ -94,6 +95,16 @@ public class RegexRequestMatcherTests {
assertFalse(matcher.matches(request)); assertFalse(matcher.matches(request));
} }
// SEC-2831
@Test
public void matchesWithInvalidMethod() {
RegexRequestMatcher matcher = new RegexRequestMatcher("/blah", "GET");
MockHttpServletRequest request = new MockHttpServletRequest("INVALID","/blah");
request.setMethod("INVALID");
assertThat(matcher.matches(request)).isFalse();
}
private HttpServletRequest createRequestWithNullMethod(String path) { private HttpServletRequest createRequestWithNullMethod(String path) {
when(request.getQueryString()).thenReturn("doesntMatter"); when(request.getQueryString()).thenReturn("doesntMatter");
when(request.getServletPath()).thenReturn(path); when(request.getServletPath()).thenReturn(path);