Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-25 05:22:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix non-standard HTTP method for CsrfWebFilter

Browse Source 
Closes gh-8452
This commit is contained in:
Rob Winch 2020-05-11 17:20:27 -05:00
parent b007fdc333
commit d9f57492d4
2 changed files with 26 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2017 the original author or authors. * Copyright 2002-2020 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -55,6 +55,7 @@ import org.springframework.web.server.WebFilterChain;
* </p> * </p>
* *
* @author Rob Winch * @author Rob Winch
* @author Parikshit Dutta
* @since 5.0 * @since 5.0
*/ */
public class CsrfWebFilter implements WebFilter { public class CsrfWebFilter implements WebFilter {
@ -136,7 +137,7 @@ public class CsrfWebFilter implements WebFilter {
@Override @Override
public Mono<MatchResult> matches(ServerWebExchange exchange) { public Mono<MatchResult> matches(ServerWebExchange exchange) {
return Mono.just(exchange.getRequest()) return Mono.just(exchange.getRequest())
.map(r -> r.getMethod()) .flatMap(r -> Mono.justOrEmpty(r.getMethod()))
.filter(m -> ALLOWED_METHODS.contains(m)) .filter(m -> ALLOWED_METHODS.contains(m))
.flatMap(m -> MatchResult.notMatch()) .flatMap(m -> MatchResult.notMatch())
.switchIfEmpty(MatchResult.match()); .switchIfEmpty(MatchResult.match());

30
web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2017 the original author or authors. * Copyright 2002-2020 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -20,10 +20,14 @@ import org.junit.Test;
import org.junit.runner.RunWith; import org.junit.runner.RunWith;
import org.mockito.Mock; import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner; import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest; import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange; import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher.MatchResult;
import org.springframework.web.server.WebFilterChain; import org.springframework.web.server.WebFilterChain;
import org.springframework.web.server.WebSession; import org.springframework.web.server.WebSession;
import reactor.core.publisher.Mono; import reactor.core.publisher.Mono;
@ -33,9 +37,11 @@ import reactor.test.publisher.PublisherProbe;
import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat; import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat;
import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
import static org.springframework.mock.web.server.MockServerWebExchange.from;
/** /**
* @author Rob Winch * @author Rob Winch
* @author Parikshit Dutta
* @since 5.0 * @since 5.0
*/ */
@RunWith(MockitoJUnitRunner.class) @RunWith(MockitoJUnitRunner.class)
@ -49,10 +55,10 @@ public class CsrfWebFilterTests {
private CsrfWebFilter csrfFilter = new CsrfWebFilter(); private CsrfWebFilter csrfFilter = new CsrfWebFilter();
private MockServerWebExchange get = MockServerWebExchange.from( private MockServerWebExchange get = from(
MockServerHttpRequest.get("/")); MockServerHttpRequest.get("/"));
private MockServerWebExchange post = MockServerWebExchange.from( private MockServerWebExchange post = from(
MockServerHttpRequest.post("/")); MockServerHttpRequest.post("/"));
@Test @Test
@ -104,7 +110,7 @@ public class CsrfWebFilterTests {
this.csrfFilter.setCsrfTokenRepository(this.repository); this.csrfFilter.setCsrfTokenRepository(this.repository);
when(this.repository.loadToken(any())) when(this.repository.loadToken(any()))
.thenReturn(Mono.just(this.token)); .thenReturn(Mono.just(this.token));
this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/") this.post = from(MockServerHttpRequest.post("/")
.body(this.token.getParameterName() + "="+this.token.getToken()+"INVALID")); .body(this.token.getParameterName() + "="+this.token.getToken()+"INVALID"));
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain); Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
@ -125,7 +131,7 @@ public class CsrfWebFilterTests {
.thenReturn(Mono.just(this.token)); .thenReturn(Mono.just(this.token));
when(this.repository.generateToken(any())) when(this.repository.generateToken(any()))
.thenReturn(Mono.just(this.token)); .thenReturn(Mono.just(this.token));
this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/") this.post = from(MockServerHttpRequest.post("/")
.contentType(MediaType.APPLICATION_FORM_URLENCODED) .contentType(MediaType.APPLICATION_FORM_URLENCODED)
.body(this.token.getParameterName() + "="+this.token.getToken())); .body(this.token.getParameterName() + "="+this.token.getToken()));
@ -142,7 +148,7 @@ public class CsrfWebFilterTests {
this.csrfFilter.setCsrfTokenRepository(this.repository); this.csrfFilter.setCsrfTokenRepository(this.repository);
when(this.repository.loadToken(any())) when(this.repository.loadToken(any()))
.thenReturn(Mono.just(this.token)); .thenReturn(Mono.just(this.token));
this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/") this.post = from(MockServerHttpRequest.post("/")
.header(this.token.getHeaderName(), this.token.getToken()+"INVALID")); .header(this.token.getHeaderName(), this.token.getToken()+"INVALID"));
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain); Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
@ -163,7 +169,7 @@ public class CsrfWebFilterTests {
.thenReturn(Mono.just(this.token)); .thenReturn(Mono.just(this.token));
when(this.repository.generateToken(any())) when(this.repository.generateToken(any()))
.thenReturn(Mono.just(this.token)); .thenReturn(Mono.just(this.token));
this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/") this.post = from(MockServerHttpRequest.post("/")
.header(this.token.getHeaderName(), this.token.getToken())); .header(this.token.getHeaderName(), this.token.getToken()));
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain); Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
@ -173,4 +179,14 @@ public class CsrfWebFilterTests {
chainResult.assertWasSubscribed(); chainResult.assertWasSubscribed();
} }
@Test
// gh-8452
public void matchesRequireCsrfProtectionWhenNonStandardHTTPMethodIsUsed() {
HttpMethod customHttpMethod = HttpMethod.resolve("non-standard-http-method");
MockServerWebExchange nonStandardHttpRequest = from(MockServerHttpRequest.method(customHttpMethod, "/"));
ServerWebExchangeMatcher serverWebExchangeMatcher = CsrfWebFilter.DEFAULT_CSRF_MATCHER;
assertThat(serverWebExchangeMatcher.matches(nonStandardHttpRequest).map(MatchResult::isMatch).block()).isTrue();
}
} }