Add additional HTTP Response splitting prevention

- Adding multiple test.
- HTTP response splitting should be validated too on cookie attributes and
header name.

Issue gh-3910
This commit is contained in:
Gabriel Lavoie
2016-09-21 10:01:50 -05:00
committed by Rob Winch
parent d8690a59e2
commit 4a1f00b90f
2 changed files with 152 additions and 46 deletions

View File

@@ -15,65 +15,158 @@
*/
package org.springframework.security.web.firewall;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletResponse;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.fail;
import javax.servlet.http.Cookie;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.springframework.mock.web.MockHttpServletResponse;
/**
* @author Luke Taylor
* @author Eddú Meléndez
* @author Gabriel Lavoie
*/
public class FirewalledResponseTests {
private MockHttpServletResponse response = new MockHttpServletResponse();
private FirewalledResponse fwResponse = new FirewalledResponse(response);
@Rule
public ExpectedException expectedException = ExpectedException.none();
@Test
public void acceptRedirectLocationWithoutCRLF() throws Exception {
fwResponse.sendRedirect("/theURL");
assertThat(response.getRedirectedUrl()).isEqualTo("/theURL");
}
@Test
public void validateNullSafetyForRedirectLocation() throws Exception {
// Exception from MockHttpServletResponse, exception not described in servlet spec.
expectedException.expect(IllegalArgumentException.class);
expectedException.expectMessage("Redirect URL must not be null");
fwResponse.sendRedirect(null);
}
@Test
public void rejectsRedirectLocationContainingCRLF() throws Exception {
MockHttpServletResponse response = new MockHttpServletResponse();
FirewalledResponse fwResponse = new FirewalledResponse(response);
expectedException.expect(IllegalArgumentException.class);
expectedException.expectMessage("Invalid characters (CR/LF)");
fwResponse.sendRedirect("/theURL");
assertThat(response.getRedirectedUrl()).isEqualTo("/theURL");
try {
fwResponse.sendRedirect("/theURL\r\nsomething");
fail("IllegalArgumentException should have thrown");
}
catch (IllegalArgumentException expected) {
}
try {
fwResponse.sendRedirect("/theURL\rsomething");
fail("IllegalArgumentException should have thrown");
}
catch (IllegalArgumentException expected) {
}
try {
fwResponse.sendRedirect("/theURL\nsomething");
fail("IllegalArgumentException should have thrown");
}
catch (IllegalArgumentException expected) {
}
fwResponse.sendRedirect("/theURL\r\nsomething");
}
@Test
public void rejectHeaderContainingCRLF() {
MockHttpServletResponse response = new MockHttpServletResponse();
FirewalledResponse fwResponse = new FirewalledResponse(response);
public void acceptHeaderValueWithoutCRLF() throws Exception {
fwResponse.addHeader("foo", "bar");
assertThat(response.getHeader("foo")).isEqualTo("bar");
}
@Test
public void validateNullSafetyForHeaderValue() throws Exception {
// Exception from MockHttpServletResponse, exception not described in servlet spec.
expectedException.expect(IllegalArgumentException.class);
expectedException.expectMessage("Header value must not be null");
fwResponse.addHeader("foo", null);
}
@Test
public void rejectHeaderValueContainingCRLF() {
expectCRLFValidationException();
fwResponse.addHeader("foo", "abc\r\nContent-Length:100");
}
@Test
public void rejectHeaderNameContainingCRLF() {
expectCRLFValidationException();
fwResponse.addHeader("abc\r\nContent-Length:100", "bar");
}
@Test
public void acceptCookieWithoutCRLF() {
Cookie cookie = new Cookie("foo", "bar");
cookie.setPath("/foobar");
cookie.setDomain("foobar");
cookie.setComment("foobar");
fwResponse.addCookie(cookie);
}
@Test
public void rejectCookieNameContainingCRLF() {
// This one is thrown by the Cookie class constructor from javax.servlet-api,
// no need to cover in FirewalledResponse.
expectedException.expect(IllegalArgumentException.class);
Cookie cookie = new Cookie("foo\r\nbar", "bar");
}
@Test
public void rejectCookieValueContainingCRLF() {
expectCRLFValidationException();
Cookie cookie = new Cookie("foo", "foo\r\nbar");
fwResponse.addCookie(cookie);
}
@Test
public void rejectCookiePathContainingCRLF() {
expectCRLFValidationException();
Cookie cookie = new Cookie("foo", "bar");
cookie.setPath("/foo\r\nbar");
fwResponse.addCookie(cookie);
}
@Test
public void rejectCookieDomainContainingCRLF() {
expectCRLFValidationException();
Cookie cookie = new Cookie("foo", "bar");
cookie.setDomain("foo\r\nbar");
fwResponse.addCookie(cookie);
}
@Test
public void rejectCookieCommentContainingCRLF() {
expectCRLFValidationException();
Cookie cookie = new Cookie("foo", "bar");
cookie.setComment("foo\r\nbar");
fwResponse.addCookie(cookie);
}
@Test
public void rejectAnyLineEndingInNameAndValue() {
validateLineEnding("foo", "foo\rbar");
validateLineEnding("foo", "foo\r\nbar");
validateLineEnding("foo", "foo\nbar");
validateLineEnding("foo\rbar", "bar");
validateLineEnding("foo\r\nbar", "bar");
validateLineEnding("foo\nbar", "bar");
}
private void expectCRLFValidationException() {
expectedException.expect(IllegalArgumentException.class);
expectedException.expectMessage("Invalid characters (CR/LF)");
}
private void validateLineEnding(String name, String value) {
try {
fwResponse.addHeader("foo", "abc\r\nContent-Length:100");
fail("IllegalArgumentException should have thrown");
}
catch (IllegalArgumentException expected) {
}
try {
fwResponse.setHeader("foo", "abc\r\nContent-Length:100");
fwResponse.validateCRLF(name, value);
fail("IllegalArgumentException should have thrown");
}
catch (IllegalArgumentException expected) {
}
}
}