Fix http URLs

See gh-22839
This commit is contained in:
Rob Winch
2019-04-23 16:35:28 -05:00
committed by Stephane Nicoll
parent b5fba14ab8
commit fde92793b5
36 changed files with 215 additions and 207 deletions

View File

@@ -81,18 +81,22 @@ public class ServletServerHttpRequestTests {
@Test // SPR-16414
public void getUriWithQueryParam() throws URISyntaxException {
mockRequest.setScheme("https");
mockRequest.setServerPort(443);
mockRequest.setServerName("example.com");
mockRequest.setRequestURI("/path");
mockRequest.setQueryString("query=foo");
assertThat(request.getURI()).isEqualTo(new URI("http://example.com/path?query=foo"));
assertThat(request.getURI()).isEqualTo(new URI("https://example.com/path?query=foo"));
}
@Test // SPR-16414
public void getUriWithMalformedQueryParam() throws URISyntaxException {
mockRequest.setScheme("https");
mockRequest.setServerPort(443);
mockRequest.setServerName("example.com");
mockRequest.setRequestURI("/path");
mockRequest.setQueryString("query=foo%%x");
assertThat(request.getURI()).isEqualTo(new URI("http://example.com/path"));
assertThat(request.getURI()).isEqualTo(new URI("https://example.com/path"));
}
@Test // SPR-13876

View File

@@ -50,7 +50,7 @@ public class DefaultCorsProcessorTests {
public void setup() {
this.request = new MockHttpServletRequest();
this.request.setRequestURI("/test.html");
this.request.setServerName("domain1.com");
this.request.setServerName("domain1.example");
this.conf = new CorsConfiguration();
this.response = new MockHttpServletResponse();
this.response.setStatus(HttpServletResponse.SC_OK);
@@ -71,7 +71,7 @@ public class DefaultCorsProcessorTests {
@Test
public void sameOriginRequest() throws Exception {
this.request.setMethod(HttpMethod.GET.name());
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain1.com");
this.request.addHeader(HttpHeaders.ORIGIN, "http://domain1.example");
this.processor.processRequest(this.conf, this.request, this.response);
assertThat(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isFalse();
@@ -124,7 +124,7 @@ public class DefaultCorsProcessorTests {
this.request.addHeader(HttpHeaders.ORIGIN, "https://domain2.com");
this.conf.addAllowedOrigin("https://domain1.com");
this.conf.addAllowedOrigin("https://domain2.com");
this.conf.addAllowedOrigin("http://domain3.com");
this.conf.addAllowedOrigin("http://domain3.example");
this.conf.setAllowCredentials(true);
this.processor.processRequest(this.conf, this.request, this.response);
@@ -296,7 +296,7 @@ public class DefaultCorsProcessorTests {
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
this.conf.addAllowedOrigin("https://domain1.com");
this.conf.addAllowedOrigin("https://domain2.com");
this.conf.addAllowedOrigin("http://domain3.com");
this.conf.addAllowedOrigin("http://domain3.example");
this.conf.addAllowedHeader("Header1");
this.conf.setAllowCredentials(true);
@@ -318,7 +318,7 @@ public class DefaultCorsProcessorTests {
this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
this.conf.addAllowedOrigin("https://domain1.com");
this.conf.addAllowedOrigin("*");
this.conf.addAllowedOrigin("http://domain3.com");
this.conf.addAllowedOrigin("http://domain3.example");
this.conf.addAllowedHeader("Header1");
this.conf.setAllowCredentials(true);

View File

@@ -39,7 +39,7 @@ public class CorsUtilsTests {
@Test
public void isCorsRequest() {
ServerHttpRequest request = get("http://domain.com/").header(HttpHeaders.ORIGIN, "https://domain.com").build();
ServerHttpRequest request = get("http://domain.example/").header(HttpHeaders.ORIGIN, "https://domain.com").build();
assertThat(CorsUtils.isCorsRequest(request)).isTrue();
}
@@ -69,32 +69,32 @@ public class CorsUtilsTests {
@Test // SPR-16262
public void isSameOriginWithXForwardedHeaders() {
String server = "mydomain1.com";
testWithXForwardedHeaders(server, -1, "https", null, -1, "https://mydomain1.com");
testWithXForwardedHeaders(server, 123, "https", null, -1, "https://mydomain1.com");
testWithXForwardedHeaders(server, -1, "https", "mydomain2.com", -1, "https://mydomain2.com");
testWithXForwardedHeaders(server, 123, "https", "mydomain2.com", -1, "https://mydomain2.com");
testWithXForwardedHeaders(server, -1, "https", "mydomain2.com", 456, "https://mydomain2.com:456");
testWithXForwardedHeaders(server, 123, "https", "mydomain2.com", 456, "https://mydomain2.com:456");
String server = "mydomain1.example";
testWithXForwardedHeaders(server, -1, "https", null, -1, "https://mydomain1.example");
testWithXForwardedHeaders(server, 123, "https", null, -1, "https://mydomain1.example");
testWithXForwardedHeaders(server, -1, "https", "mydomain2.example", -1, "https://mydomain2.example");
testWithXForwardedHeaders(server, 123, "https", "mydomain2.example", -1, "https://mydomain2.example");
testWithXForwardedHeaders(server, -1, "https", "mydomain2.example", 456, "https://mydomain2.example:456");
testWithXForwardedHeaders(server, 123, "https", "mydomain2.example", 456, "https://mydomain2.example:456");
}
@Test // SPR-16262
public void isSameOriginWithForwardedHeader() {
String server = "mydomain1.com";
testWithForwardedHeader(server, -1, "proto=https", "https://mydomain1.com");
testWithForwardedHeader(server, 123, "proto=https", "https://mydomain1.com");
testWithForwardedHeader(server, -1, "proto=https; host=mydomain2.com", "https://mydomain2.com");
testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.com", "https://mydomain2.com");
testWithForwardedHeader(server, -1, "proto=https; host=mydomain2.com:456", "https://mydomain2.com:456");
testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.com:456", "https://mydomain2.com:456");
String server = "mydomain1.example";
testWithForwardedHeader(server, -1, "proto=https", "https://mydomain1.example");
testWithForwardedHeader(server, 123, "proto=https", "https://mydomain1.example");
testWithForwardedHeader(server, -1, "proto=https; host=mydomain2.example", "https://mydomain2.example");
testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.example", "https://mydomain2.example");
testWithForwardedHeader(server, -1, "proto=https; host=mydomain2.example:456", "https://mydomain2.example:456");
testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.example:456", "https://mydomain2.example:456");
}
@Test // SPR-16362
@SuppressWarnings("deprecation")
public void isSameOriginWithDifferentSchemes() {
MockServerHttpRequest request = MockServerHttpRequest
.get("http://mydomain1.com")
.header(HttpHeaders.ORIGIN, "https://mydomain1.com")
.get("http://mydomain1.example")
.header(HttpHeaders.ORIGIN, "https://mydomain1.example")
.build();
assertThat(CorsUtils.isSameOrigin(request)).isFalse();
}

View File

@@ -58,7 +58,7 @@ public class DefaultCorsProcessorTests {
@Test
public void requestWithoutOriginHeader() throws Exception {
MockServerHttpRequest request = MockServerHttpRequest
.method(HttpMethod.GET, "http://domain1.com/test.html")
.method(HttpMethod.GET, "http://domain1.example/test.html")
.build();
ServerWebExchange exchange = MockServerWebExchange.from(request);
this.processor.process(this.conf, exchange);
@@ -73,8 +73,8 @@ public class DefaultCorsProcessorTests {
@Test
public void sameOriginRequest() throws Exception {
MockServerHttpRequest request = MockServerHttpRequest
.method(HttpMethod.GET, "http://domain1.com/test.html")
.header(HttpHeaders.ORIGIN, "http://domain1.com")
.method(HttpMethod.GET, "http://domain1.example/test.html")
.header(HttpHeaders.ORIGIN, "http://domain1.example")
.build();
ServerWebExchange exchange = MockServerWebExchange.from(request);
this.processor.process(this.conf, exchange);
@@ -129,7 +129,7 @@ public class DefaultCorsProcessorTests {
ServerWebExchange exchange = actualRequest();
this.conf.addAllowedOrigin("https://domain1.com");
this.conf.addAllowedOrigin("https://domain2.com");
this.conf.addAllowedOrigin("http://domain3.com");
this.conf.addAllowedOrigin("http://domain3.example");
this.conf.setAllowCredentials(true);
this.processor.process(this.conf, exchange);
@@ -306,7 +306,7 @@ public class DefaultCorsProcessorTests {
this.conf.addAllowedOrigin("https://domain1.com");
this.conf.addAllowedOrigin("https://domain2.com");
this.conf.addAllowedOrigin("http://domain3.com");
this.conf.addAllowedOrigin("http://domain3.example");
this.conf.addAllowedHeader("Header1");
this.conf.setAllowCredentials(true);
@@ -330,7 +330,7 @@ public class DefaultCorsProcessorTests {
this.conf.addAllowedOrigin("https://domain1.com");
this.conf.addAllowedOrigin("*");
this.conf.addAllowedOrigin("http://domain3.com");
this.conf.addAllowedOrigin("http://domain3.example");
this.conf.addAllowedHeader("Header1");
this.conf.setAllowCredentials(true);

View File

@@ -313,7 +313,7 @@ public class ForwardedHeaderFilterTests {
public void forwardedRequestWithServletForward() throws Exception {
this.request.setRequestURI("/foo");
this.request.addHeader(X_FORWARDED_PROTO, "https");
this.request.addHeader(X_FORWARDED_HOST, "www.mycompany.com");
this.request.addHeader(X_FORWARDED_HOST, "www.mycompany.example");
this.request.addHeader(X_FORWARDED_PORT, "443");
this.filter.doFilter(this.request, new MockHttpServletResponse(), this.filterChain);
@@ -328,7 +328,7 @@ public class ForwardedHeaderFilterTests {
assertThat(actual).isNotNull();
assertThat(actual.getRequestURI()).isEqualTo("/bar");
assertThat(actual.getRequestURL().toString()).isEqualTo("https://www.mycompany.com/bar");
assertThat(actual.getRequestURL().toString()).isEqualTo("https://www.mycompany.example/bar");
}
@Test
@@ -440,7 +440,7 @@ public class ForwardedHeaderFilterTests {
this.request.addHeader(X_FORWARDED_HOST, "example.com");
this.request.addHeader(X_FORWARDED_PORT, "443");
String location = "http://example.org/foo/bar";
String location = "http://company.example/foo/bar";
String redirectedUrl = sendRedirect(location);
assertThat(redirectedUrl).isEqualTo(location);
}

View File

@@ -49,31 +49,31 @@ public class DefaultUriBuilderFactoryTests {
@Test
public void baseUri() {
DefaultUriBuilderFactory factory = new DefaultUriBuilderFactory("https://foo.com/v1?id=123");
DefaultUriBuilderFactory factory = new DefaultUriBuilderFactory("https://foo.example/v1?id=123");
URI uri = factory.uriString("/bar").port(8080).build();
assertThat(uri.toString()).isEqualTo("https://foo.com:8080/v1/bar?id=123");
assertThat(uri.toString()).isEqualTo("https://foo.example:8080/v1/bar?id=123");
}
@Test
public void baseUriWithFullOverride() {
DefaultUriBuilderFactory factory = new DefaultUriBuilderFactory("https://foo.com/v1?id=123");
DefaultUriBuilderFactory factory = new DefaultUriBuilderFactory("https://foo.example/v1?id=123");
URI uri = factory.uriString("https://example.com/1/2").build();
assertThat(uri.toString()).as("Use of host should case baseUri to be completely ignored").isEqualTo("https://example.com/1/2");
}
@Test
public void baseUriWithPathOverride() {
DefaultUriBuilderFactory factory = new DefaultUriBuilderFactory("https://foo.com/v1");
DefaultUriBuilderFactory factory = new DefaultUriBuilderFactory("https://foo.example/v1");
URI uri = factory.builder().replacePath("/baz").build();
assertThat(uri.toString()).isEqualTo("https://foo.com/baz");
assertThat(uri.toString()).isEqualTo("https://foo.example/baz");
}
@Test
public void defaultUriVars() {
DefaultUriBuilderFactory factory = new DefaultUriBuilderFactory("https://{host}/v1");
factory.setDefaultUriVariables(singletonMap("host", "foo.com"));
factory.setDefaultUriVariables(singletonMap("host", "foo.example"));
URI uri = factory.uriString("/{id}").build(singletonMap("id", "123"));
assertThat(uri.toString()).isEqualTo("https://foo.com/v1/123");
assertThat(uri.toString()).isEqualTo("https://foo.example/v1/123");
}
@Test
@@ -87,9 +87,9 @@ public class DefaultUriBuilderFactoryTests {
@Test
public void defaultUriVarsWithEmptyVarArg() {
DefaultUriBuilderFactory factory = new DefaultUriBuilderFactory("https://{host}/v1");
factory.setDefaultUriVariables(singletonMap("host", "foo.com"));
factory.setDefaultUriVariables(singletonMap("host", "foo.example"));
URI uri = factory.uriString("/bar").build();
assertThat(uri.toString()).as("Expected delegation to build(Map) method").isEqualTo("https://foo.com/v1/bar");
assertThat(uri.toString()).as("Expected delegation to build(Map) method").isEqualTo("https://foo.example/v1/bar");
}
@Test

View File

@@ -92,41 +92,41 @@ public class WebUtilsTests {
@Test
public void isValidOrigin() {
List<String> allowed = Collections.emptyList();
assertThat(checkValidOrigin("mydomain1.com", -1, "http://mydomain1.com", allowed)).isTrue();
assertThat(checkValidOrigin("mydomain1.com", -1, "http://mydomain2.com", allowed)).isFalse();
assertThat(checkValidOrigin("mydomain1.example", -1, "http://mydomain1.example", allowed)).isTrue();
assertThat(checkValidOrigin("mydomain1.example", -1, "http://mydomain2.example", allowed)).isFalse();
allowed = Collections.singletonList("*");
assertThat(checkValidOrigin("mydomain1.com", -1, "http://mydomain2.com", allowed)).isTrue();
assertThat(checkValidOrigin("mydomain1.example", -1, "http://mydomain2.example", allowed)).isTrue();
allowed = Collections.singletonList("http://mydomain1.com");
assertThat(checkValidOrigin("mydomain2.com", -1, "http://mydomain1.com", allowed)).isTrue();
assertThat(checkValidOrigin("mydomain2.com", -1, "http://mydomain3.com", allowed)).isFalse();
allowed = Collections.singletonList("http://mydomain1.example");
assertThat(checkValidOrigin("mydomain2.example", -1, "http://mydomain1.example", allowed)).isTrue();
assertThat(checkValidOrigin("mydomain2.example", -1, "http://mydomain3.example", allowed)).isFalse();
}
@Test
public void isSameOrigin() {
assertThat(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com")).isTrue();
assertThat(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com:80")).isTrue();
assertThat(checkSameOrigin("https", "mydomain1.com", 443, "https://mydomain1.com")).isTrue();
assertThat(checkSameOrigin("https", "mydomain1.com", 443, "https://mydomain1.com:443")).isTrue();
assertThat(checkSameOrigin("http", "mydomain1.com", 123, "http://mydomain1.com:123")).isTrue();
assertThat(checkSameOrigin("ws", "mydomain1.com", -1, "ws://mydomain1.com")).isTrue();
assertThat(checkSameOrigin("wss", "mydomain1.com", 443, "wss://mydomain1.com")).isTrue();
assertThat(checkSameOrigin("http", "mydomain1.example", -1, "http://mydomain1.example")).isTrue();
assertThat(checkSameOrigin("http", "mydomain1.example", -1, "http://mydomain1.example:80")).isTrue();
assertThat(checkSameOrigin("https", "mydomain1.example", 443, "https://mydomain1.example")).isTrue();
assertThat(checkSameOrigin("https", "mydomain1.example", 443, "https://mydomain1.example:443")).isTrue();
assertThat(checkSameOrigin("http", "mydomain1.example", 123, "http://mydomain1.example:123")).isTrue();
assertThat(checkSameOrigin("ws", "mydomain1.example", -1, "ws://mydomain1.example")).isTrue();
assertThat(checkSameOrigin("wss", "mydomain1.example", 443, "wss://mydomain1.example")).isTrue();
assertThat(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain2.com")).isFalse();
assertThat(checkSameOrigin("http", "mydomain1.com", -1, "https://mydomain1.com")).isFalse();
assertThat(checkSameOrigin("http", "mydomain1.com", -1, "invalid-origin")).isFalse();
assertThat(checkSameOrigin("https", "mydomain1.com", -1, "http://mydomain1.com")).isFalse();
assertThat(checkSameOrigin("http", "mydomain1.example", -1, "http://mydomain2.example")).isFalse();
assertThat(checkSameOrigin("http", "mydomain1.example", -1, "https://mydomain1.example")).isFalse();
assertThat(checkSameOrigin("http", "mydomain1.example", -1, "invalid-origin")).isFalse();
assertThat(checkSameOrigin("https", "mydomain1.example", -1, "http://mydomain1.example")).isFalse();
// Handling of invalid origins as described in SPR-13478
assertThat(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com/")).isTrue();
assertThat(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com:80/")).isTrue();
assertThat(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com/path")).isTrue();
assertThat(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com:80/path")).isTrue();
assertThat(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com/")).isFalse();
assertThat(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com:80/")).isFalse();
assertThat(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com/path")).isFalse();
assertThat(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com:80/path")).isFalse();
assertThat(checkSameOrigin("http", "mydomain1.example", -1, "http://mydomain1.example/")).isTrue();
assertThat(checkSameOrigin("http", "mydomain1.example", -1, "http://mydomain1.example:80/")).isTrue();
assertThat(checkSameOrigin("http", "mydomain1.example", -1, "http://mydomain1.example/path")).isTrue();
assertThat(checkSameOrigin("http", "mydomain1.example", -1, "http://mydomain1.example:80/path")).isTrue();
assertThat(checkSameOrigin("http", "mydomain2.example", -1, "http://mydomain1.example/")).isFalse();
assertThat(checkSameOrigin("http", "mydomain2.example", -1, "http://mydomain1.example:80/")).isFalse();
assertThat(checkSameOrigin("http", "mydomain2.example", -1, "http://mydomain1.example/path")).isFalse();
assertThat(checkSameOrigin("http", "mydomain2.example", -1, "http://mydomain1.example:80/path")).isFalse();
// Handling of IPv6 hosts as described in SPR-13525
assertThat(checkSameOrigin("http", "[::1]", -1, "http://[::1]")).isTrue();
@@ -144,24 +144,24 @@ public class WebUtilsTests {
@Test // SPR-16262
public void isSameOriginWithXForwardedHeaders() throws Exception {
String server = "mydomain1.com";
testWithXForwardedHeaders(server, -1, "https", null, -1, "https://mydomain1.com");
testWithXForwardedHeaders(server, 123, "https", null, -1, "https://mydomain1.com");
testWithXForwardedHeaders(server, -1, "https", "mydomain2.com", -1, "https://mydomain2.com");
testWithXForwardedHeaders(server, 123, "https", "mydomain2.com", -1, "https://mydomain2.com");
testWithXForwardedHeaders(server, -1, "https", "mydomain2.com", 456, "https://mydomain2.com:456");
testWithXForwardedHeaders(server, 123, "https", "mydomain2.com", 456, "https://mydomain2.com:456");
String server = "mydomain1.example";
testWithXForwardedHeaders(server, -1, "https", null, -1, "https://mydomain1.example");
testWithXForwardedHeaders(server, 123, "https", null, -1, "https://mydomain1.example");
testWithXForwardedHeaders(server, -1, "https", "mydomain2.example", -1, "https://mydomain2.example");
testWithXForwardedHeaders(server, 123, "https", "mydomain2.example", -1, "https://mydomain2.example");
testWithXForwardedHeaders(server, -1, "https", "mydomain2.example", 456, "https://mydomain2.example:456");
testWithXForwardedHeaders(server, 123, "https", "mydomain2.example", 456, "https://mydomain2.example:456");
}
@Test // SPR-16262
public void isSameOriginWithForwardedHeader() throws Exception {
String server = "mydomain1.com";
testWithForwardedHeader(server, -1, "proto=https", "https://mydomain1.com");
testWithForwardedHeader(server, 123, "proto=https", "https://mydomain1.com");
testWithForwardedHeader(server, -1, "proto=https; host=mydomain2.com", "https://mydomain2.com");
testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.com", "https://mydomain2.com");
testWithForwardedHeader(server, -1, "proto=https; host=mydomain2.com:456", "https://mydomain2.com:456");
testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.com:456", "https://mydomain2.com:456");
String server = "mydomain1.example";
testWithForwardedHeader(server, -1, "proto=https", "https://mydomain1.example");
testWithForwardedHeader(server, 123, "proto=https", "https://mydomain1.example");
testWithForwardedHeader(server, -1, "proto=https; host=mydomain2.example", "https://mydomain2.example");
testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.example", "https://mydomain2.example");
testWithForwardedHeader(server, -1, "proto=https; host=mydomain2.example:456", "https://mydomain2.example:456");
testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.example:456", "https://mydomain2.example:456");
}