Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-01 09:42:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add hash-based Content-Security-Policy for SAML pages

Browse Source 
Closes gh-11631
This commit is contained in:
Ulrich Grave 2022-07-27 09:02:54 +02:00 committed by Josh Cummings
parent f86d30f4a1
commit 4393c2ea02
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
6 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilter.java
View File

@ -146,6 +146,8 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter
StringBuilder html = new StringBuilder(); StringBuilder html = new StringBuilder();
html.append("<!DOCTYPE html>\n"); html.append("<!DOCTYPE html>\n");
html.append("<html>\n").append(" <head>\n"); html.append("<html>\n").append(" <head>\n");
html.append(" <meta http-equiv=\"Content-Security-Policy\" ")
.append("content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">\n");
html.append(" <meta charset=\"utf-8\" />\n"); html.append(" <meta charset=\"utf-8\" />\n");
html.append(" </head>\n"); html.append(" </head>\n");
html.append(" <body onload=\"document.forms[0].submit()\">\n"); html.append(" <body onload=\"document.forms[0].submit()\">\n");

2
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutRequestFilter.java
View File

@ -199,6 +199,8 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
StringBuilder html = new StringBuilder(); StringBuilder html = new StringBuilder();
html.append("<!DOCTYPE html>\n"); html.append("<!DOCTYPE html>\n");
html.append("<html>\n").append(" <head>\n"); html.append("<html>\n").append(" <head>\n");
html.append(" <meta http-equiv=\"Content-Security-Policy\" ")
.append("content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">\n");
html.append(" <meta charset=\"utf-8\" />\n"); html.append(" <meta charset=\"utf-8\" />\n");
html.append(" </head>\n"); html.append(" </head>\n");
html.append(" <body onload=\"document.forms[0].submit()\">\n"); html.append(" <body onload=\"document.forms[0].submit()\">\n");

2
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2RelyingPartyInitiatedLogoutSuccessHandler.java
View File

@ -118,6 +118,8 @@ public final class Saml2RelyingPartyInitiatedLogoutSuccessHandler implements Log
StringBuilder html = new StringBuilder(); StringBuilder html = new StringBuilder();
html.append("<!DOCTYPE html>\n"); html.append("<!DOCTYPE html>\n");
html.append("<html>\n").append(" <head>\n"); html.append("<html>\n").append(" <head>\n");
html.append(" <meta http-equiv=\"Content-Security-Policy\" ")
.append("content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">\n");
html.append(" <meta charset=\"utf-8\" />\n"); html.append(" <meta charset=\"utf-8\" />\n");
html.append(" </head>\n"); html.append(" </head>\n");
html.append(" <body onload=\"document.forms[0].submit()\">\n"); html.append(" <body onload=\"document.forms[0].submit()\">\n");

4
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilterTests.java
View File

@ -170,7 +170,9 @@ public class Saml2WebSsoAuthenticationRequestFilterTests {
given(this.authenticationRequestResolver.resolve(any())).willReturn(request); given(this.authenticationRequestResolver.resolve(any())).willReturn(request);
this.filter.doFilterInternal(this.request, this.response, this.filterChain); this.filter.doFilterInternal(this.request, this.response, this.filterChain);
assertThat(this.response.getHeader("Location")).isNull(); assertThat(this.response.getHeader("Location")).isNull();
assertThat(this.response.getContentAsString()) assertThat(this.response.getContentAsString()).contains(
"<meta http-equiv=\"Content-Security-Policy\" content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">")
.contains("<body onload=\"document.forms[0].submit()\">")
.contains("<form action=\"https://sso-url.example.com/IDP/SSO\" method=\"post\">") .contains("<form action=\"https://sso-url.example.com/IDP/SSO\" method=\"post\">")
.contains("<input type=\"hidden\" name=\"SAMLRequest\"") .contains("<input type=\"hidden\" name=\"SAMLRequest\"")
.contains("value=\"" + relayStateEncoded + "\""); .contains("value=\"" + relayStateEncoded + "\"");

3
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutRequestFilterTests.java
View File

@ -111,6 +111,9 @@ public class Saml2LogoutRequestFilterTests {
String content = response.getContentAsString(); String content = response.getContentAsString();
assertThat(content).contains(Saml2ParameterNames.SAML_RESPONSE); assertThat(content).contains(Saml2ParameterNames.SAML_RESPONSE);
assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation()); assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation());
assertThat(content).contains(
"<meta http-equiv=\"Content-Security-Policy\" content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">");
assertThat(content).contains("<body onload=\"document.forms[0].submit()\">");
} }
@Test @Test

5
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2RelyingPartyInitiatedLogoutSuccessHandlerTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -97,6 +97,9 @@ public class Saml2RelyingPartyInitiatedLogoutSuccessHandlerTests {
String content = response.getContentAsString(); String content = response.getContentAsString();
assertThat(content).contains(Saml2ParameterNames.SAML_REQUEST); assertThat(content).contains(Saml2ParameterNames.SAML_REQUEST);
assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceLocation()); assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceLocation());
assertThat(content).contains(
"<meta http-equiv=\"Content-Security-Policy\" content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">");
assertThat(content).contains("<body onload=\"document.forms[0].submit()\">");
} }
private Saml2Authentication authentication(RelyingPartyRegistration registration) { private Saml2Authentication authentication(RelyingPartyRegistration registration) {