Consider having HeaderWriters check before writing

All HeadersWriter only write Header if its not already
written.

Fixes: gh-6454 gh-5193
This commit is contained in:
Ankur Pathak
2019-02-06 14:04:35 +05:30
committed by Josh Cummings
parent 4742c18e4b
commit 93d6a38ffd
16 changed files with 178 additions and 32 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2019 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -24,12 +24,16 @@ import static org.assertj.core.api.Assertions.assertThat;
/**
* @author Joe Grandja
* @author Ankur Pathak
*/
public class ContentSecurityPolicyHeaderWriterTests {
private static final String DEFAULT_POLICY_DIRECTIVES = "default-src 'self'";
private MockHttpServletRequest request;
private MockHttpServletResponse response;
private ContentSecurityPolicyHeaderWriter writer;
private static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy";
private static final String CONTENT_SECURITY_POLICY_REPORT_ONLY_HEADER = "Content-Security-Policy-Report-Only";
@Before
public void setup() {
@@ -87,4 +91,21 @@ public class ContentSecurityPolicyHeaderWriterTests {
writer = new ContentSecurityPolicyHeaderWriter(null);
}
}
@Test
public void writeHeaderOnlyIfNotPresentContentSecurityPolicyHeader(){
String value = new String("value");
this.response.setHeader(CONTENT_SECURITY_POLICY_HEADER, value);
this.writer.writeHeaders(this.request, this.response);
assertThat(this.response.getHeader(CONTENT_SECURITY_POLICY_HEADER)).isSameAs(value);
}
@Test
public void writeHeaderOnlyIfNotPresentContentSecurityPolicyReportOnlyHeader(){
String value = new String("value");
this.response.setHeader(CONTENT_SECURITY_POLICY_REPORT_ONLY_HEADER, value);
this.writer.setReportOnly(true);
this.writer.writeHeaders(this.request, this.response);
assertThat(this.response.getHeader(CONTENT_SECURITY_POLICY_REPORT_ONLY_HEADER)).isSameAs(value);
}
}

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 the original author or authors.
* Copyright 2002-2019 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@ import static org.assertj.core.api.Assertions.assertThatThrownBy;
* Tests for {@link FeaturePolicyHeaderWriter}.
*
* @author Vedran Pavic
* @author Ankur Pathak
*/
public class FeaturePolicyHeaderWriterTests {
@@ -40,6 +41,8 @@ public class FeaturePolicyHeaderWriterTests {
private FeaturePolicyHeaderWriter writer;
private static final String FEATURE_POLICY_HEADER = "Feature-Policy";
@Before
public void setUp() {
this.request = new MockHttpServletRequest();
@@ -70,4 +73,12 @@ public class FeaturePolicyHeaderWriterTests {
.hasMessage("policyDirectives must not be null or empty");
}
@Test
public void writeHeaderOnlyIfNotPresent(){
String value = new String("value");
this.response.setHeader(FEATURE_POLICY_HEADER, value);
this.writer.writeHeaders(this.request, this.response);
assertThat(this.response.getHeader(FEATURE_POLICY_HEADER)).isSameAs(value);
}
}

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 the original author or authors.
* Copyright 2002-2019 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -30,6 +30,7 @@ import org.springframework.mock.web.MockHttpServletResponse;
/**
* @author Tim Ysewyn
* @author Ankur Pathak
*
*/
public class HpkpHeaderWriterTests {
@@ -47,6 +48,10 @@ public class HpkpHeaderWriterTests {
private HpkpHeaderWriter writer;
private static final String HPKP_HEADER_NAME = "Public-Key-Pins";
private static final String HPKP_RO_HEADER_NAME = "Public-Key-Pins-Report-Only";
@Before
public void setup() {
request = new MockHttpServletRequest();
@@ -196,4 +201,22 @@ public class HpkpHeaderWriterTests {
public void setIncorrectReportUri() {
writer.setReportUri("some url here...");
}
@Test
public void writeHeaderOnlyIfNotPresentPublicKeyPins(){
String value = new String("value");
this.response.setHeader(HPKP_HEADER_NAME, value);
this.writer.setReportOnly(false);
this.writer.writeHeaders(this.request, this.response);
assertThat(this.response.getHeader(HPKP_HEADER_NAME)).isSameAs(value);
}
@Test
public void writeHeaderOnlyIfNotPresentPublicKeyPinsReportOnly(){
String value = new String("value");
this.response.setHeader(HPKP_RO_HEADER_NAME, value);
this.writer.setReportOnly(false);
this.writer.writeHeaders(this.request, this.response);
assertThat(this.response.getHeader(HPKP_RO_HEADER_NAME)).isSameAs(value);
}
}

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2019 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -21,11 +21,11 @@ import org.junit.Before;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.web.header.writers.HstsHeaderWriter;
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
/**
* @author Rob Winch
* @author Ankur Pathak
*
*/
public class HstsHeaderWriterTests {
@@ -34,6 +34,8 @@ public class HstsHeaderWriterTests {
private HstsHeaderWriter writer;
private static final String HSTS_HEADER_NAME = "Strict-Transport-Security";
@Before
public void setup() {
request = new MockHttpServletRequest();
@@ -150,4 +152,12 @@ public class HstsHeaderWriterTests {
public void setRequestMatcherToNull() {
writer.setRequestMatcher(null);
}
@Test
public void writeHeaderOnlyIfNotPresent(){
String value = new String("value");
this.response.setHeader(HSTS_HEADER_NAME, value);
this.writer.writeHeaders(this.request, this.response);
assertThat(this.response.getHeader(HSTS_HEADER_NAME)).isSameAs(value);
}
}

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2019 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -22,10 +22,11 @@ import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import static org.assertj.core.api.Assertions.assertThat;
import static org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.*;
import static org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy;
/**
* @author Eddú Meléndez
* @author Ankur Pathak
*/
public class ReferrerPolicyHeaderWriterTests {
@@ -34,6 +35,8 @@ public class ReferrerPolicyHeaderWriterTests {
private MockHttpServletResponse response;
private ReferrerPolicyHeaderWriter writer;
private static final String REFERRER_POLICY_HEADER = "Referrer-Policy";
@Before
public void setup() {
this.request = new MockHttpServletRequest();
@@ -65,4 +68,11 @@ public class ReferrerPolicyHeaderWriterTests {
this.writer = new ReferrerPolicyHeaderWriter(null);
}
@Test
public void writeHeaderOnlyIfNotPresent(){
String value = new String("value");
this.response.setHeader(REFERRER_POLICY_HEADER, value);
this.writer.writeHeaders(this.request, this.response);
assertThat(this.response.getHeader(REFERRER_POLICY_HEADER)).isSameAs(value);
}
}

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2019 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -25,13 +25,13 @@ import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.web.header.Header;
import org.springframework.security.web.header.writers.StaticHeadersWriter;
/**
* Test for the {@code StaticHeadersWriter}
*
* @author Marten Deinum
* @author Rob Winch
* @author Ankur Pathak
* @since 3.2
*/
public class StaticHeaderWriterTests {
@@ -96,4 +96,23 @@ public class StaticHeaderWriterTests {
assertThat(response.getHeaderValues(cacheControl.getName())).isEqualTo(
cacheControl.getValues());
}
@Test
public void writeHeaderOnlyIfNotPresent() {
String pragmaValue = new String("pragmaValue");
String cacheControlValue = new String("cacheControlValue");
this.response.setHeader("Pragma", pragmaValue);
this.response.setHeader("Cache-Control", cacheControlValue);
Header pragma = new Header("Pragma", "no-cache");
Header cacheControl = new Header("Cache-Control", "no-cache", "no-store",
"must-revalidate");
StaticHeadersWriter factory = new StaticHeadersWriter(Arrays.asList(pragma,
cacheControl));
factory.writeHeaders(this.request, this.response);
assertThat(this.response.getHeaderNames()).hasSize(2);
assertThat(this.response.getHeader("Pragma")).isSameAs(pragmaValue);
assertThat(this.response.getHeader("Cache-Control")).isSameAs(cacheControlValue);
}
}

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2019 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@ import org.springframework.mock.web.MockHttpServletResponse;
/**
* @author Rob Winch
* @author Ankur Pathak
*
*/
public class XXssProtectionHeaderWriterTests {
@@ -34,6 +35,8 @@ public class XXssProtectionHeaderWriterTests {
private XXssProtectionHeaderWriter writer;
private static final String XSS_PROTECTION_HEADER = "X-XSS-Protection";
@Before
public void setup() {
request = new MockHttpServletRequest();
@@ -87,4 +90,12 @@ public class XXssProtectionHeaderWriterTests {
writer.setBlock(true);
}
@Test
public void writeHeaderOnlyIfNotPresent(){
String value = new String("value");
this.response.setHeader(XSS_PROTECTION_HEADER, value);
this.writer.writeHeaders(this.request, this.response);
assertThat(this.response.getHeader(XSS_PROTECTION_HEADER)).isSameAs(value);
}
}

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2019 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -21,17 +21,21 @@ import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import java.util.Arrays;
import java.util.Collections;
import static org.assertj.core.api.Assertions.assertThat;
/**
* @author Rob Winch
* @author AnkurPathak
* @since 5.0
*/
public class XFrameOptionsHeaderWriterTests {
private MockHttpServletRequest request = new MockHttpServletRequest();
private MockHttpServletResponse response = new MockHttpServletResponse();
private static final String XFRAME_OPTIONS_HEADER = "X-Frame-Options";
@Test
public void writeHeadersWhenWhiteList() {
WhiteListedAllowFromStrategy whitelist = new WhiteListedAllowFromStrategy(Arrays.asList("example.com"));
@@ -43,4 +47,13 @@ public class XFrameOptionsHeaderWriterTests {
assertThat(this.response.getHeaderValue(XFrameOptionsHeaderWriter.XFRAME_OPTIONS_HEADER)).isEqualTo("DENY");
}
@Test
public void writeHeaderOnlyIfNotPresent(){
WhiteListedAllowFromStrategy whitelist = new WhiteListedAllowFromStrategy(Collections.singletonList("example.com"));
XFrameOptionsHeaderWriter writer = new XFrameOptionsHeaderWriter(whitelist);
String value = new String("value");
this.response.setHeader(XFRAME_OPTIONS_HEADER, value);
writer.writeHeaders(this.request, this.response);
assertThat(this.response.getHeader(XFRAME_OPTIONS_HEADER)).isSameAs(value);
}
}