Additional validation for forwarded header address value

Closes gh-26748
This commit is contained in:
Rossen Stoyanchev
2021-04-06 19:43:13 +01:00
parent 01bea34569
commit 8a1182a678
3 changed files with 41 additions and 4 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -36,6 +36,7 @@ import org.springframework.web.testfixture.servlet.MockHttpServletRequest;
import org.springframework.web.testfixture.servlet.MockHttpServletResponse;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.mockito.Mockito.mock;
/**
@@ -470,6 +471,13 @@ public class ForwardedHeaderFilterTests {
assertThat(actual.getRemoteAddr()).isEqualTo(actual.getRemoteHost()).isEqualTo("203.0.113.195");
assertThat(actual.getRemotePort()).isEqualTo(MockHttpServletRequest.DEFAULT_SERVER_PORT);
}
@Test // gh-26748
public void forwardedForInvalidIpV6Address() {
request.addHeader(FORWARDED, "for=\"2a02:918:175:ab60:45ee:c12c:dac1:808b\"");
assertThatIllegalArgumentException().isThrownBy(
ForwardedHeaderFilterTests.this::filterAndGetWrappedRequest);
}
}
@Nested

View File

@@ -453,6 +453,21 @@ class UriComponentsBuilderTests {
assertThat(result.toString()).isEqualTo("http://[1abc:2abc:3abc::5ABC:6abc]:8080/mvc-showcase");
}
@Test // gh-26748
void fromHttpRequestWithForwardedInvalidIPv6Address() {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setScheme("http");
request.setServerName("localhost");
request.setServerPort(-1);
request.setRequestURI("/mvc-showcase");
request.addHeader("X-Forwarded-Host", "2a02:918:175:ab60:45ee:c12c:dac1:808b");
HttpRequest httpRequest = new ServletServerHttpRequest(request);
assertThatIllegalArgumentException().isThrownBy(() ->
UriComponentsBuilder.fromHttpRequest(httpRequest).build());
}
@Test
void fromHttpRequestWithForwardedHost() {
MockHttpServletRequest request = new MockHttpServletRequest();