Validate headers and parameters in StrictHttpFirewall
Adds methods to configure validation of header names and values and parameter names and values: * setAllowedHeaderNames(Predicate) * setAllowedHeaderValues(Predicate) * setAllowedParameterNames(Predicate) * setAllowedParameterValues(Predicate) By default, header names, header values, and parameter names that contain ISO control characters or unassigned unicode characters are rejected. No parameter value validation is performed by default. Issue gh-8644
This commit is contained in:
committed by
Josh Cummings
parent
88028d82ed
commit
c71352c548
@@ -23,6 +23,8 @@ import static org.assertj.core.api.Assertions.fail;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
@@ -595,4 +597,145 @@ public class StrictHttpFirewallTests {
|
||||
|
||||
this.firewall.getFirewalledRequest(this.request);
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetHeaderWhenNotAllowedHeaderNameThenException() {
|
||||
this.firewall.setAllowedHeaderNames(name -> !name.equals("bad name"));
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getHeader("bad name");
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetHeaderWhenNotAllowedHeaderValueThenException() {
|
||||
this.request.addHeader("good name", "bad value");
|
||||
this.firewall.setAllowedHeaderValues(value -> !value.equals("bad value"));
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getHeader("good name");
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetDateHeaderWhenControlCharacterInHeaderNameThenException() {
|
||||
this.request.addHeader("Bad\0Name", "some value");
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getDateHeader("Bad\0Name");
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetIntHeaderWhenControlCharacterInHeaderNameThenException() {
|
||||
this.request.addHeader("Bad\0Name", "some value");
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getIntHeader("Bad\0Name");
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetHeaderWhenControlCharacterInHeaderNameThenException() {
|
||||
this.request.addHeader("Bad\0Name", "some value");
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getHeader("Bad\0Name");
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetHeaderWhenUndefinedCharacterInHeaderNameThenException() {
|
||||
this.request.addHeader("Bad\uFFFEName", "some value");
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getHeader("Bad\uFFFEName");
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetHeadersWhenControlCharacterInHeaderNameThenException() {
|
||||
this.request.addHeader("Bad\0Name", "some value");
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getHeaders("Bad\0Name");
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetHeaderNamesWhenControlCharacterInHeaderNameThenException() {
|
||||
this.request.addHeader("Bad\0Name", "some value");
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getHeaderNames().nextElement();
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetHeaderWhenControlCharacterInHeaderValueThenException() {
|
||||
this.request.addHeader("Something", "bad\0value");
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getHeader("Something");
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetHeaderWhenUndefinedCharacterInHeaderValueThenException() {
|
||||
this.request.addHeader("Something", "bad\uFFFEvalue");
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getHeader("Something");
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetHeadersWhenControlCharacterInHeaderValueThenException() {
|
||||
this.request.addHeader("Something", "bad\0value");
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getHeaders("Something").nextElement();
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetParameterWhenControlCharacterInParameterNameThenException() {
|
||||
this.request.addParameter("Bad\0Name", "some value");
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getParameter("Bad\0Name");
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetParameterMapWhenControlCharacterInParameterNameThenException() {
|
||||
this.request.addParameter("Bad\0Name", "some value");
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getParameterMap();
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetParameterNamesWhenControlCharacterInParameterNameThenException() {
|
||||
this.request.addParameter("Bad\0Name", "some value");
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getParameterNames().nextElement();
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetParameterNamesWhenUndefinedCharacterInParameterNameThenException() {
|
||||
this.request.addParameter("Bad\uFFFEName", "some value");
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getParameterNames().nextElement();
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetParameterValuesWhenNotAllowedInParameterValueThenException() {
|
||||
this.firewall.setAllowedParameterValues(value -> !value.equals("bad value"));
|
||||
|
||||
this.request.addParameter("Something", "bad value");
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getParameterValues("Something");
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestGetParameterValuesWhenNotAllowedInParameterNameThenException() {
|
||||
this.firewall.setAllowedParameterNames(value -> !value.equals("bad name"));
|
||||
|
||||
this.request.addParameter("bad name", "good value");
|
||||
|
||||
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
|
||||
request.getParameterValues("bad name");
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user