SEC-2831: Regex/AntPath RequestMatcher handle invalid HTTP method

2025-10-30 22:28:46 +00:00 · 2015-02-04 11:57:46 -06:00 · 2015-02-04 11:57:46 -06:00 · 07c54e5d0e
commit 07c54e5d0e
parent 31234ecef9
4 changed files with 54 additions and 2 deletions
--- a/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java
+++ b/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java
@ -122,7 +122,7 @@ public final class AntPathRequestMatcher implements RequestMatcher {
     *    {@code servletPath} + {@code pathInfo} of the request.
     */
    public boolean matches(HttpServletRequest request) {
-        if (httpMethod != null && StringUtils.hasText(request.getMethod()) && httpMethod != HttpMethod.valueOf(request.getMethod())) {
+        if (httpMethod != null && StringUtils.hasText(request.getMethod()) && httpMethod != valueOf(request.getMethod())) {
            if (logger.isDebugEnabled()) {
                logger.debug("Request '" + request.getMethod() + " " + getRequestPath(request) + "'"
                        + " doesn't match '" + httpMethod  + " " + pattern);
@ -201,6 +201,21 @@ public final class AntPathRequestMatcher implements RequestMatcher {
        return sb.toString();
    }

+    /**
+     * Provides a save way of obtaining the HttpMethod from a String. If the method is invalid, returns null.
+     *
+     * @param method the HTTP method to use.
+     *
+     * @return the HttpMethod or null if method is invalid.
+     */
+    private static HttpMethod valueOf(String method) {
+        try {
+            return HttpMethod.valueOf(method);
+        } catch(IllegalArgumentException e) {}
+
+        return null;
+    }
+
    private static interface Matcher {
        boolean matches(String path);
    }
--- a/web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java
+++ b/web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java
@ -75,7 +75,7 @@ public final class RegexRequestMatcher implements RequestMatcher {
     * @return true if the pattern matches the URL, false otherwise.
     */
    public boolean matches(HttpServletRequest request) {
-        if (httpMethod != null && request.getMethod() != null && httpMethod != HttpMethod.valueOf(request.getMethod())) {
+        if (httpMethod != null && request.getMethod() != null && httpMethod != valueOf(request.getMethod())) {
            return false;
        }

@ -102,4 +102,20 @@ public final class RegexRequestMatcher implements RequestMatcher {

        return pattern.matcher(url).matches();
    }
+
+
+    /**
+     * Provides a save way of obtaining the HttpMethod from a String. If the method is invalid, returns null.
+     *
+     * @param method the HTTP method to use.
+     *
+     * @return the HttpMethod or null if method is invalid.
+     */
+    private static HttpMethod valueOf(String method) {
+        try {
+            return HttpMethod.valueOf(method);
+        } catch(IllegalArgumentException e) {}
+
+        return null;
+    }
 }
--- a/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java
+++ b/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java
@ -151,6 +151,16 @@ public class AntPathRequestMatcherTests {
        new AntPathRequestMatcher("/blah", "GET").toString();
    }

+    // SEC-2831
+    @Test
+    public void matchesWithInvalidMethod() {
+        AntPathRequestMatcher matcher = new AntPathRequestMatcher("/blah", "GET");
+        MockHttpServletRequest request = createRequest("/blah");
+        request.setMethod("INVALID");
+
+        assertThat(matcher.matches(request)).isFalse();
+    }
+
    private HttpServletRequest createRequestWithNullMethod(String path) {
        when(request.getQueryString()).thenReturn("doesntMatter");
        when(request.getServletPath()).thenReturn(path);
--- a/web/src/test/java/org/springframework/security/web/util/matcher/RegexRequestMatcherTests.java
+++ b/web/src/test/java/org/springframework/security/web/util/matcher/RegexRequestMatcherTests.java
@ -12,6 +12,7 @@
 */
 package org.springframework.security.web.util.matcher;

+import static org.fest.assertions.Assertions.assertThat;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import static org.mockito.Mockito.when;
@ -94,6 +95,16 @@ public class RegexRequestMatcherTests {
        assertFalse(matcher.matches(request));
    }

+    // SEC-2831
+    @Test
+    public void matchesWithInvalidMethod() {
+        RegexRequestMatcher matcher = new RegexRequestMatcher("/blah", "GET");
+        MockHttpServletRequest request = new MockHttpServletRequest("INVALID","/blah");
+        request.setMethod("INVALID");
+
+        assertThat(matcher.matches(request)).isFalse();
+    }
+
    private HttpServletRequest createRequestWithNullMethod(String path) {
        when(request.getQueryString()).thenReturn("doesntMatter");
        when(request.getServletPath()).thenReturn(path);