Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Don't Consume Request Body 

Per the servlet spec, getParameter(name) consumes the request body for
POST requests.

This commit prevents DefaultOAuth2AuthorizationRequestResolver from
consuming the request body for non-Authorization requests.

Closes gh-8650
This commit is contained in:
Erik Bakker 2020-06-04 11:34:00 +02:00 committed by Josh Cummings
parent 24a04f9c5f
commit cd3fd6762f
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java
View File

@ -87,6 +87,9 @@ public final class DefaultOAuth2AuthorizationRequestResolver implements OAuth2Au
@Override @Override
public OAuth2AuthorizationRequest resolve(HttpServletRequest request) { public OAuth2AuthorizationRequest resolve(HttpServletRequest request) {
String registrationId = this.resolveRegistrationId(request); String registrationId = this.resolveRegistrationId(request);
if (registrationId == null) {
return null;
}
String redirectUriAction = getAction(request, "login"); String redirectUriAction = getAction(request, "login");
return resolve(request, registrationId, redirectUriAction); return resolve(request, registrationId, redirectUriAction);
} }

22
oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java
View File

@ -15,8 +15,12 @@
*/ */
package org.springframework.security.oauth2.client.web; package org.springframework.security.oauth2.client.web;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import javax.servlet.http.HttpServletRequest;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.mockito.Mockito;
import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
@ -99,6 +103,24 @@ public class DefaultOAuth2AuthorizationRequestResolverTests {
assertThat(authorizationRequest).isNull(); assertThat(authorizationRequest).isNull();
} }
@Test
public void resolveWhenNotAuthorizationRequestThenRequestBodyNotConsumed() throws IOException {
String requestUri = "/path";
MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri);
request.setContent("foo".getBytes(StandardCharsets.UTF_8));
request.setCharacterEncoding(StandardCharsets.UTF_8.name());
HttpServletRequest spyRequest = Mockito.spy(request);
this.resolver.resolve(spyRequest);
Mockito.verify(spyRequest, Mockito.never()).getReader();
Mockito.verify(spyRequest, Mockito.never()).getInputStream();
Mockito.verify(spyRequest, Mockito.never()).getParameter(Mockito.anyString());
Mockito.verify(spyRequest, Mockito.never()).getParameterMap();
Mockito.verify(spyRequest, Mockito.never()).getParameterNames();
Mockito.verify(spyRequest, Mockito.never()).getParameterValues(Mockito.anyString());
}
@Test @Test
public void resolveWhenAuthorizationRequestWithInvalidClientThenThrowIllegalArgumentException() { public void resolveWhenAuthorizationRequestWithInvalidClientThenThrowIllegalArgumentException() {
ClientRegistration clientRegistration = this.registration1; ClientRegistration clientRegistration = this.registration1;