Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Throws exception when passed IP address with too long mask 

Fixes gh-2790
This commit is contained in:
Clement Ng 2019-07-04 15:46:24 -07:00 committed by Josh Cummings
parent d5e5ac0503
commit ab6440db10
2 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2016 the original author or authors. * Copyright 2002-2019 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -22,6 +22,7 @@ import javax.servlet.http.HttpServletRequest;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
import org.springframework.util.Assert;
/** /**
* Matches a request based on IP Address or subnet mask matching against the remote * Matches a request based on IP Address or subnet mask matching against the remote
@ -55,6 +56,9 @@ public final class IpAddressMatcher implements RequestMatcher {
nMaskBits = -1; nMaskBits = -1;
} }
requiredAddress = parseAddress(ipAddress); requiredAddress = parseAddress(ipAddress);
Assert.isTrue(requiredAddress.getAddress().length * 8 >= nMaskBits,
String.format("IP address %s is too short for bitmask of length %d",
ipAddress, nMaskBits));
} }
public boolean matches(HttpServletRequest request) { public boolean matches(HttpServletRequest request) {

22
web/src/test/java/org/springframework/security/web/util/matcher/IpAddressMatcherTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2016 the original author or authors. * Copyright 2002-2019 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -84,4 +84,24 @@ public class IpAddressMatcherTests {
assertThat(matcher.matches("123.4.5.6")).isTrue(); assertThat(matcher.matches("123.4.5.6")).isTrue();
assertThat(matcher.matches("192.168.0.159")).isTrue(); assertThat(matcher.matches("192.168.0.159")).isTrue();
} }
// SEC-2576
@Test
public void ipv4RequiredAddressMaskTooLongThenIllegalArgumentException() {
String ipv4AddressWithTooLongMask = "192.168.1.104/33";
assertThatCode(() -> new IpAddressMatcher(ipv4AddressWithTooLongMask))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage(String.format("IP address %s is too short for bitmask of " +
"length %d", "192.168.1.104", 33));
}
// SEC-2576
@Test
public void ipv6RequiredAddressMaskTooLongThenIllegalArgumentException() {
String ipv6AddressWithTooLongMask = "fe80::21f:5bff:fe33:bd68/129";
assertThatCode(() -> new IpAddressMatcher(ipv6AddressWithTooLongMask))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage(String.format("IP address %s is too short for bitmask of " +
"length %d", "fe80::21f:5bff:fe33:bd68", 129));
}
} }