Restrict HTTP methods on Reactive HiddenHttpMethodFilter

This commit restricts the allowed HTTP methods on HiddenHttpMethodFilter
(Reactive variant) to the following: PUT, DELETE, PATCH.

This filter is meant to be used to simulate those methods from HTML
forms sent by browsers, so no other methods are allowed.

Issue: SPR-16836
This commit is contained in:
Brian Clozel
2018-05-18 14:35:35 +02:00
parent f64fa3dea1
commit a5cd01a4c8
2 changed files with 21 additions and 3 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2018 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
package org.springframework.web.filter.reactive;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import reactor.core.publisher.Mono;
@@ -45,6 +48,10 @@ import org.springframework.web.server.WebFilterChain;
*/
public class HiddenHttpMethodFilter implements WebFilter {
private static final List<HttpMethod> ALLOWED_METHODS =
Collections.unmodifiableList(Arrays.asList(HttpMethod.PUT,
HttpMethod.DELETE, HttpMethod.PATCH));
/** Default name of the form parameter with the HTTP method to use */
public static final String DEFAULT_METHOD_PARAMETER_NAME = "_method";
@@ -87,7 +94,12 @@ public class HiddenHttpMethodFilter implements WebFilter {
private ServerWebExchange mapExchange(ServerWebExchange exchange, String methodParamValue) {
HttpMethod httpMethod = HttpMethod.resolve(methodParamValue.toUpperCase(Locale.ENGLISH));
Assert.notNull(httpMethod, () -> "HttpMethod '" + methodParamValue + "' not supported");
return exchange.mutate().request(builder -> builder.method(httpMethod)).build();
if (ALLOWED_METHODS.contains(httpMethod)) {
return exchange.mutate().request(builder -> builder.method(httpMethod)).build();
}
else {
return exchange;
}
}
}

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2018 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -52,6 +52,12 @@ public class HiddenHttpMethodFilterTests {
assertEquals(HttpMethod.DELETE, this.filterChain.getHttpMethod());
}
@Test
public void filterWithParameterMethodNotAllowed() {
postForm("_method=TRACE").block(Duration.ZERO);
assertEquals(HttpMethod.POST, this.filterChain.getHttpMethod());
}
@Test
public void filterWithNoParameter() {
postForm("").block(Duration.ZERO);