Additional validation for forwarded header address value
Closes gh-26748
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -36,6 +36,7 @@ import org.springframework.web.testfixture.servlet.MockHttpServletRequest;
|
||||
import org.springframework.web.testfixture.servlet.MockHttpServletResponse;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.mockito.Mockito.mock;
|
||||
|
||||
/**
|
||||
@@ -470,6 +471,13 @@ public class ForwardedHeaderFilterTests {
|
||||
assertThat(actual.getRemoteAddr()).isEqualTo(actual.getRemoteHost()).isEqualTo("203.0.113.195");
|
||||
assertThat(actual.getRemotePort()).isEqualTo(MockHttpServletRequest.DEFAULT_SERVER_PORT);
|
||||
}
|
||||
|
||||
@Test // gh-26748
|
||||
public void forwardedForInvalidIpV6Address() {
|
||||
request.addHeader(FORWARDED, "for=\"2a02:918:175:ab60:45ee:c12c:dac1:808b\"");
|
||||
assertThatIllegalArgumentException().isThrownBy(
|
||||
ForwardedHeaderFilterTests.this::filterAndGetWrappedRequest);
|
||||
}
|
||||
}
|
||||
|
||||
@Nested
|
||||
|
||||
@@ -453,6 +453,21 @@ class UriComponentsBuilderTests {
|
||||
assertThat(result.toString()).isEqualTo("http://[1abc:2abc:3abc::5ABC:6abc]:8080/mvc-showcase");
|
||||
}
|
||||
|
||||
@Test // gh-26748
|
||||
void fromHttpRequestWithForwardedInvalidIPv6Address() {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setScheme("http");
|
||||
request.setServerName("localhost");
|
||||
request.setServerPort(-1);
|
||||
request.setRequestURI("/mvc-showcase");
|
||||
request.addHeader("X-Forwarded-Host", "2a02:918:175:ab60:45ee:c12c:dac1:808b");
|
||||
|
||||
HttpRequest httpRequest = new ServletServerHttpRequest(request);
|
||||
|
||||
assertThatIllegalArgumentException().isThrownBy(() ->
|
||||
UriComponentsBuilder.fromHttpRequest(httpRequest).build());
|
||||
}
|
||||
|
||||
@Test
|
||||
void fromHttpRequestWithForwardedHost() {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
|
||||
Reference in New Issue
Block a user