SEC-2831: Regex/AntPath RequestMatcher handle invalid HTTP method

This commit is contained in:
Rob Winch
2015-02-04 11:57:46 -06:00
parent 31234ecef9
commit 07c54e5d0e
4 changed files with 54 additions and 2 deletions

View File

@@ -151,6 +151,16 @@ public class AntPathRequestMatcherTests {
new AntPathRequestMatcher("/blah", "GET").toString();
}
// SEC-2831
@Test
public void matchesWithInvalidMethod() {
AntPathRequestMatcher matcher = new AntPathRequestMatcher("/blah", "GET");
MockHttpServletRequest request = createRequest("/blah");
request.setMethod("INVALID");
assertThat(matcher.matches(request)).isFalse();
}
private HttpServletRequest createRequestWithNullMethod(String path) {
when(request.getQueryString()).thenReturn("doesntMatter");
when(request.getServletPath()).thenReturn(path);

View File

@@ -12,6 +12,7 @@
*/
package org.springframework.security.web.util.matcher;
import static org.fest.assertions.Assertions.assertThat;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.when;
@@ -94,6 +95,16 @@ public class RegexRequestMatcherTests {
assertFalse(matcher.matches(request));
}
// SEC-2831
@Test
public void matchesWithInvalidMethod() {
RegexRequestMatcher matcher = new RegexRequestMatcher("/blah", "GET");
MockHttpServletRequest request = new MockHttpServletRequest("INVALID","/blah");
request.setMethod("INVALID");
assertThat(matcher.matches(request)).isFalse();
}
private HttpServletRequest createRequestWithNullMethod(String path) {
when(request.getQueryString()).thenReturn("doesntMatter");
when(request.getServletPath()).thenReturn(path);