mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-01 09:42:13 +00:00
Add StrictHttpFirewall.allow* new lines and separators
Issue gh-11264
This commit is contained in:
parent
5bf478e72e
commit
e2eed33eca
@ -107,9 +107,9 @@ public class StrictHttpFirewall implements HttpFirewall {
|
|||||||
|
|
||||||
private static final List<String> FORBIDDEN_NULL = Collections.unmodifiableList(Arrays.asList("\0", "%00"));
|
private static final List<String> FORBIDDEN_NULL = Collections.unmodifiableList(Arrays.asList("\0", "%00"));
|
||||||
|
|
||||||
private static final List<String> FORBIDDEN_LF = Collections.unmodifiableList(Arrays.asList("\r", "%0a", "%0A"));
|
private static final List<String> FORBIDDEN_LF = Collections.unmodifiableList(Arrays.asList("\n", "%0a", "%0A"));
|
||||||
|
|
||||||
private static final List<String> FORBIDDEN_CR = Collections.unmodifiableList(Arrays.asList("\n", "%0d", "%0D"));
|
private static final List<String> FORBIDDEN_CR = Collections.unmodifiableList(Arrays.asList("\r", "%0d", "%0D"));
|
||||||
|
|
||||||
private static final List<String> FORBIDDEN_LINE_SEPARATOR = Collections.unmodifiableList(Arrays.asList("\u2028"));
|
private static final List<String> FORBIDDEN_LINE_SEPARATOR = Collections.unmodifiableList(Arrays.asList("\u2028"));
|
||||||
|
|
||||||
@ -358,6 +358,69 @@ public class StrictHttpFirewall implements HttpFirewall {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determines if a URL encoded Carriage Return is allowed in the path or not. The
|
||||||
|
* default is not to allow this behavior because it is a frequent source of security
|
||||||
|
* exploits.
|
||||||
|
* @param allowUrlEncodedCarriageReturn if URL encoded Carriage Return is allowed in
|
||||||
|
* the URL or not. Default is false.
|
||||||
|
*/
|
||||||
|
public void setAllowUrlEncodedCarriageReturn(boolean allowUrlEncodedCarriageReturn) {
|
||||||
|
if (allowUrlEncodedCarriageReturn) {
|
||||||
|
urlBlocklistsRemoveAll(FORBIDDEN_CR);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
urlBlocklistsAddAll(FORBIDDEN_CR);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determines if a URL encoded Line Feed is allowed in the path or not. The default is
|
||||||
|
* not to allow this behavior because it is a frequent source of security exploits.
|
||||||
|
* @param allowUrlEncodedLineFeed if URL encoded Line Feed is allowed in the URL or
|
||||||
|
* not. Default is false.
|
||||||
|
*/
|
||||||
|
public void setAllowUrlEncodedLineFeed(boolean allowUrlEncodedLineFeed) {
|
||||||
|
if (allowUrlEncodedLineFeed) {
|
||||||
|
urlBlocklistsRemoveAll(FORBIDDEN_LF);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
urlBlocklistsAddAll(FORBIDDEN_LF);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determines if a URL encoded paragraph separator is allowed in the path or not. The
|
||||||
|
* default is not to allow this behavior because it is a frequent source of security
|
||||||
|
* exploits.
|
||||||
|
* @param allowUrlEncodedParagraphSeparator if URL encoded paragraph separator is
|
||||||
|
* allowed in the URL or not. Default is false.
|
||||||
|
*/
|
||||||
|
public void setAllowUrlEncodedParagraphSeparator(boolean allowUrlEncodedParagraphSeparator) {
|
||||||
|
if (allowUrlEncodedParagraphSeparator) {
|
||||||
|
this.decodedUrlBlocklist.removeAll(FORBIDDEN_PARAGRAPH_SEPARATOR);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
this.decodedUrlBlocklist.addAll(FORBIDDEN_PARAGRAPH_SEPARATOR);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determines if a URL encoded line separator is allowed in the path or not. The
|
||||||
|
* default is not to allow this behavior because it is a frequent source of security
|
||||||
|
* exploits.
|
||||||
|
* @param allowUrlEncodedLineSeparator if URL encoded line separator is allowed in the
|
||||||
|
* URL or not. Default is false.
|
||||||
|
*/
|
||||||
|
public void setAllowUrlEncodedLineSeparator(boolean allowUrlEncodedLineSeparator) {
|
||||||
|
if (allowUrlEncodedLineSeparator) {
|
||||||
|
this.decodedUrlBlocklist.removeAll(FORBIDDEN_LINE_SEPARATOR);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
this.decodedUrlBlocklist.addAll(FORBIDDEN_LINE_SEPARATOR);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* <p>
|
* <p>
|
||||||
* Determines which header names should be allowed. The default is to reject header
|
* Determines which header names should be allowed. The default is to reject header
|
||||||
|
@ -440,6 +440,82 @@ public class StrictHttpFirewallTests {
|
|||||||
.isThrownBy(() -> this.firewall.getFirewalledRequest(this.request));
|
.isThrownBy(() -> this.firewall.getFirewalledRequest(this.request));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void getFirewalledRequestWhenContainsLowercaseEncodedLineFeedAndAllowedThenNoException() {
|
||||||
|
this.firewall.setAllowUrlEncodedLineFeed(true);
|
||||||
|
this.request.setRequestURI("/something%0a/");
|
||||||
|
this.firewall.getFirewalledRequest(this.request);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void getFirewalledRequestWhenContainsUppercaseEncodedLineFeedAndAllowedThenNoException() {
|
||||||
|
this.firewall.setAllowUrlEncodedLineFeed(true);
|
||||||
|
this.request.setRequestURI("/something%0A/");
|
||||||
|
this.firewall.getFirewalledRequest(this.request);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void getFirewalledRequestWhenContainsLineFeedAndAllowedThenException() {
|
||||||
|
this.firewall.setAllowUrlEncodedLineFeed(true);
|
||||||
|
this.request.setRequestURI("/something\n/");
|
||||||
|
// Expected an error because the line feed is decoded in an encoded part of the
|
||||||
|
// URL
|
||||||
|
assertThatExceptionOfType(RequestRejectedException.class)
|
||||||
|
.isThrownBy(() -> this.firewall.getFirewalledRequest(this.request));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void getFirewalledRequestWhenServletPathContainsLineFeedAndAllowedThenNoException() {
|
||||||
|
this.firewall.setAllowUrlEncodedLineFeed(true);
|
||||||
|
this.request.setServletPath("/something\n/");
|
||||||
|
this.firewall.getFirewalledRequest(this.request);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void getFirewalledRequestWhenContainsLowercaseEncodedCarriageReturnAndAllowedThenNoException() {
|
||||||
|
this.firewall.setAllowUrlEncodedCarriageReturn(true);
|
||||||
|
this.request.setRequestURI("/something%0d/");
|
||||||
|
this.firewall.getFirewalledRequest(this.request);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void getFirewalledRequestWhenContainsUppercaseEncodedCarriageReturnAndAllowedThenNoException() {
|
||||||
|
this.firewall.setAllowUrlEncodedCarriageReturn(true);
|
||||||
|
this.request.setRequestURI("/something%0D/");
|
||||||
|
this.firewall.getFirewalledRequest(this.request);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void getFirewalledRequestWhenContainsCarriageReturnAndAllowedThenNoException() {
|
||||||
|
this.firewall.setAllowUrlEncodedCarriageReturn(true);
|
||||||
|
this.request.setRequestURI("/something\r/");
|
||||||
|
// Expected an error because the carriage return is decoded in an encoded part of
|
||||||
|
// the URL
|
||||||
|
assertThatExceptionOfType(RequestRejectedException.class)
|
||||||
|
.isThrownBy(() -> this.firewall.getFirewalledRequest(this.request));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void getFirewalledRequestWhenServletPathContainsCarriageReturnAndAllowedThenNoException() {
|
||||||
|
this.firewall.setAllowUrlEncodedCarriageReturn(true);
|
||||||
|
this.request.setServletPath("/something\r/");
|
||||||
|
this.firewall.getFirewalledRequest(this.request);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void getFirewalledRequestWhenServletPathContainsLineSeparatorAndAllowedThenNoException() {
|
||||||
|
this.firewall.setAllowUrlEncodedLineSeparator(true);
|
||||||
|
this.request.setServletPath("/something\u2028/");
|
||||||
|
this.firewall.getFirewalledRequest(this.request);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void getFirewalledRequestWhenServletPathContainsParagraphSeparatorAndAllowedThenNoException() {
|
||||||
|
this.firewall.setAllowUrlEncodedParagraphSeparator(true);
|
||||||
|
this.request.setServletPath("/something\u2029/");
|
||||||
|
this.firewall.getFirewalledRequest(this.request);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* On WebSphere 8.5 a URL like /context-root/a/b;%2f1/c can bypass a rule on /a/b/c
|
* On WebSphere 8.5 a URL like /context-root/a/b;%2f1/c can bypass a rule on /a/b/c
|
||||||
* because the pathInfo is /a/b;/1/c which ends up being /a/b/1/c while Spring MVC
|
* because the pathInfo is /a/b;/1/c which ends up being /a/b/1/c while Spring MVC
|
||||||
|
Loading…
x
Reference in New Issue
Block a user