SEC-2831: Regex/AntPath RequestMatcher handle invalid HTTP method
This commit is contained in:
@@ -151,6 +151,16 @@ public class AntPathRequestMatcherTests {
|
||||
new AntPathRequestMatcher("/blah", "GET").toString();
|
||||
}
|
||||
|
||||
// SEC-2831
|
||||
@Test
|
||||
public void matchesWithInvalidMethod() {
|
||||
AntPathRequestMatcher matcher = new AntPathRequestMatcher("/blah", "GET");
|
||||
MockHttpServletRequest request = createRequest("/blah");
|
||||
request.setMethod("INVALID");
|
||||
|
||||
assertThat(matcher.matches(request)).isFalse();
|
||||
}
|
||||
|
||||
private HttpServletRequest createRequestWithNullMethod(String path) {
|
||||
when(request.getQueryString()).thenReturn("doesntMatter");
|
||||
when(request.getServletPath()).thenReturn(path);
|
||||
|
||||
@@ -12,6 +12,7 @@
|
||||
*/
|
||||
package org.springframework.security.web.util.matcher;
|
||||
|
||||
import static org.fest.assertions.Assertions.assertThat;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import static org.mockito.Mockito.when;
|
||||
@@ -94,6 +95,16 @@ public class RegexRequestMatcherTests {
|
||||
assertFalse(matcher.matches(request));
|
||||
}
|
||||
|
||||
// SEC-2831
|
||||
@Test
|
||||
public void matchesWithInvalidMethod() {
|
||||
RegexRequestMatcher matcher = new RegexRequestMatcher("/blah", "GET");
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("INVALID","/blah");
|
||||
request.setMethod("INVALID");
|
||||
|
||||
assertThat(matcher.matches(request)).isFalse();
|
||||
}
|
||||
|
||||
private HttpServletRequest createRequestWithNullMethod(String path) {
|
||||
when(request.getQueryString()).thenReturn("doesntMatter");
|
||||
when(request.getServletPath()).thenReturn(path);
|
||||
|
||||
Reference in New Issue
Block a user