Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix non-standard HTTP method for CsrfWebFilter 

Closes gh-8149
This commit is contained in:
Parikshit Dutta 2020-05-02 00:07:33 +05:30 committed by Rob Winch
parent 6db514a4e2
commit 0f92415395
2 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2017 the original author or authors. * Copyright 2002-2020 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -60,6 +60,7 @@ import static java.lang.Boolean.TRUE;
* </p> * </p>
* *
* @author Rob Winch * @author Rob Winch
* @author Parikshit Dutta
* @since 5.0 * @since 5.0
*/ */
public class CsrfWebFilter implements WebFilter { public class CsrfWebFilter implements WebFilter {
@ -187,7 +188,7 @@ public class CsrfWebFilter implements WebFilter {
@Override @Override
public Mono<MatchResult> matches(ServerWebExchange exchange) { public Mono<MatchResult> matches(ServerWebExchange exchange) {
return Mono.just(exchange.getRequest()) return Mono.just(exchange.getRequest())
.map(r -> r.getMethod()) .flatMap(r -> Mono.justOrEmpty(r.getMethod()))
.filter(m -> ALLOWED_METHODS.contains(m)) .filter(m -> ALLOWED_METHODS.contains(m))
.flatMap(m -> MatchResult.notMatch()) .flatMap(m -> MatchResult.notMatch())
.switchIfEmpty(MatchResult.match()); .switchIfEmpty(MatchResult.match());

19
web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2017 the original author or authors. * Copyright 2002-2020 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -20,6 +20,8 @@ import org.junit.Test;
import org.junit.runner.RunWith; import org.junit.runner.RunWith;
import org.mockito.Mock; import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner; import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest; import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
@ -40,11 +42,14 @@ import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verifyZeroInteractions; import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.spy;
import static org.springframework.mock.web.server.MockServerWebExchange.from; import static org.springframework.mock.web.server.MockServerWebExchange.from;
import static org.springframework.web.reactive.function.BodyInserters.fromMultipartData; import static org.springframework.web.reactive.function.BodyInserters.fromMultipartData;
/** /**
* @author Rob Winch * @author Rob Winch
* @author Parikshit Dutta
* @since 5.0 * @since 5.0
*/ */
@RunWith(MockitoJUnitRunner.class) @RunWith(MockitoJUnitRunner.class)
@ -183,6 +188,18 @@ public class CsrfWebFilterTests {
chainResult.assertWasSubscribed(); chainResult.assertWasSubscribed();
} }
@Test
public void matchesRequireCSRFProtectionWhenNonStandardHTTPMethodIsUsed() {
final String NON_STANDARD_HTTP_METHOD = "non-standard-http-method";
MockServerWebExchange nonStandardHttpRequest = from(MockServerHttpRequest.method(HttpMethod.resolve(NON_STANDARD_HTTP_METHOD), "/"));
ServerWebExchangeMatcher serverWebExchangeMatcher = spy(CsrfWebFilter.DEFAULT_CSRF_MATCHER);
serverWebExchangeMatcher.matches(nonStandardHttpRequest);
verify(serverWebExchangeMatcher).matches(nonStandardHttpRequest);
assertThat(serverWebExchangeMatcher.matches(nonStandardHttpRequest).block().isMatch()).isTrue();
}
@Test @Test
public void doFilterWhenSkipExchangeInvokedThenSkips() { public void doFilterWhenSkipExchangeInvokedThenSkips() {
PublisherProbe<Void> chainResult = PublisherProbe.empty(); PublisherProbe<Void> chainResult = PublisherProbe.empty();