Restrict HTTP methods on Reactive HiddenHttpMethodFilter
This commit restricts the allowed HTTP methods on HiddenHttpMethodFilter (Reactive variant) to the following: PUT, DELETE, PATCH. This filter is meant to be used to simulate those methods from HTML forms sent by browsers, so no other methods are allowed. Issue: SPR-16836
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -16,6 +16,9 @@
|
||||
|
||||
package org.springframework.web.filter.reactive;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
|
||||
import reactor.core.publisher.Mono;
|
||||
@@ -45,6 +48,10 @@ import org.springframework.web.server.WebFilterChain;
|
||||
*/
|
||||
public class HiddenHttpMethodFilter implements WebFilter {
|
||||
|
||||
private static final List<HttpMethod> ALLOWED_METHODS =
|
||||
Collections.unmodifiableList(Arrays.asList(HttpMethod.PUT,
|
||||
HttpMethod.DELETE, HttpMethod.PATCH));
|
||||
|
||||
/** Default name of the form parameter with the HTTP method to use */
|
||||
public static final String DEFAULT_METHOD_PARAMETER_NAME = "_method";
|
||||
|
||||
@@ -87,7 +94,12 @@ public class HiddenHttpMethodFilter implements WebFilter {
|
||||
private ServerWebExchange mapExchange(ServerWebExchange exchange, String methodParamValue) {
|
||||
HttpMethod httpMethod = HttpMethod.resolve(methodParamValue.toUpperCase(Locale.ENGLISH));
|
||||
Assert.notNull(httpMethod, () -> "HttpMethod '" + methodParamValue + "' not supported");
|
||||
return exchange.mutate().request(builder -> builder.method(httpMethod)).build();
|
||||
if (ALLOWED_METHODS.contains(httpMethod)) {
|
||||
return exchange.mutate().request(builder -> builder.method(httpMethod)).build();
|
||||
}
|
||||
else {
|
||||
return exchange;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -52,6 +52,12 @@ public class HiddenHttpMethodFilterTests {
|
||||
assertEquals(HttpMethod.DELETE, this.filterChain.getHttpMethod());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void filterWithParameterMethodNotAllowed() {
|
||||
postForm("_method=TRACE").block(Duration.ZERO);
|
||||
assertEquals(HttpMethod.POST, this.filterChain.getHttpMethod());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void filterWithNoParameter() {
|
||||
postForm("").block(Duration.ZERO);
|
||||
|
||||
Reference in New Issue
Block a user