Add support for BREACH

Closes gh-4001
This commit is contained in:
Steve Riesenberg
2022-10-04 16:06:35 -05:00
parent a5cc1f0b60
commit dce1c30522
7 changed files with 545 additions and 3 deletions

View File

@@ -18,6 +18,7 @@ package org.springframework.security.web.csrf;
import java.io.IOException;
import java.util.Arrays;
import java.util.Base64;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
@@ -33,6 +34,8 @@ import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.crypto.codec.Utf8;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.util.matcher.RequestMatcher;
@@ -362,6 +365,45 @@ public class CsrfFilterTests {
verify(this.filterChain).doFilter(this.request, this.response);
}
@Test
public void doFilterWhenXorCsrfTokenRequestAttributeHandlerAndValidTokenThenSuccess() throws Exception {
given(this.requestMatcher.matches(this.request)).willReturn(false);
given(this.tokenRepository.loadDeferredToken(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.token, false));
XorCsrfTokenRequestAttributeHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
requestHandler.setCsrfRequestAttributeName(this.token.getParameterName());
this.filter.setRequestHandler(requestHandler);
this.filter.doFilter(this.request, this.response, this.filterChain);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
assertThat(this.request.getAttribute(this.token.getParameterName())).isNotNull();
verify(this.filterChain).doFilter(this.request, this.response);
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
CsrfToken csrfTokenAttribute = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
byte[] csrfTokenAttributeBytes = Base64.getUrlDecoder().decode(csrfTokenAttribute.getToken());
byte[] actualTokenBytes = Utf8.encode(this.token.getToken());
// XOR'd token length is 2x due to containing the random bytes
assertThat(csrfTokenAttributeBytes).hasSize(actualTokenBytes.length * 2);
given(this.requestMatcher.matches(this.request)).willReturn(true);
this.request.setParameter(this.token.getParameterName(), csrfTokenAttribute.getToken());
this.filter.doFilter(this.request, this.response, this.filterChain);
verify(this.filterChain, times(2)).doFilter(this.request, this.response);
}
@Test
public void doFilterWhenXorCsrfTokenRequestAttributeHandlerAndRawTokenThenAccessDeniedException() throws Exception {
given(this.requestMatcher.matches(this.request)).willReturn(true);
given(this.tokenRepository.loadDeferredToken(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.token, false));
XorCsrfTokenRequestAttributeHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
this.filter.setRequestHandler(requestHandler);
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
this.filter.doFilter(this.request, this.response, this.filterChain);
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(AccessDeniedException.class));
verifyNoMoreInteractions(this.filterChain);
}
@Test
public void setRequireCsrfProtectionMatcherNull() {
assertThatIllegalArgumentException().isThrownBy(() -> this.filter.setRequireCsrfProtectionMatcher(null));

View File

@@ -0,0 +1,203 @@
/*
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.csrf;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.stubbing.Answer;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.BDDMockito.willAnswer;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoMoreInteractions;
/**
* Tests for {@link XorCsrfTokenRequestAttributeHandler}.
*
* @author Steve Riesenberg
* @since 5.8
*/
public class XorCsrfTokenRequestAttributeHandlerTests {
private static final byte[] XOR_CSRF_TOKEN_BYTES = new byte[] { 1, 1, 1, 96, 99, 98 };
private static final String XOR_CSRF_TOKEN_VALUE = Base64.getEncoder().encodeToString(XOR_CSRF_TOKEN_BYTES);
private MockHttpServletRequest request;
private MockHttpServletResponse response;
private CsrfToken token;
private SecureRandom secureRandom;
private XorCsrfTokenRequestAttributeHandler handler;
@BeforeEach
public void setup() {
this.request = new MockHttpServletRequest();
this.response = new MockHttpServletResponse();
this.token = new DefaultCsrfToken("headerName", "paramName", "abc");
this.secureRandom = mock(SecureRandom.class);
this.handler = new XorCsrfTokenRequestAttributeHandler();
}
@Test
public void setSecureRandomWhenNullThenThrowsIllegalArgumentException() {
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> this.handler.setSecureRandom(null))
.withMessage("secureRandom cannot be null");
// @formatter:on
}
@Test
public void handleWhenRequestIsNullThenThrowsIllegalArgumentException() {
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> this.handler.handle(null, this.response, () -> this.token))
.withMessage("request cannot be null");
// @formatter:on
}
@Test
public void handleWhenResponseIsNullThenThrowsIllegalArgumentException() {
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> this.handler.handle(this.request, null, () -> this.token))
.withMessage("response cannot be null");
// @formatter:on
}
@Test
public void handleWhenCsrfTokenSupplierIsNullThenThrowsIllegalArgumentException() {
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> this.handler.handle(this.request, this.response, null))
.withMessage("deferredCsrfToken cannot be null");
// @formatter:on
}
@Test
public void handleWhenCsrfTokenIsNullThenThrowsIllegalStateException() {
// @formatter:off
assertThatIllegalStateException()
.isThrownBy(() -> this.handler.handle(this.request, this.response, () -> null))
.withMessage("csrfToken supplier returned null");
// @formatter:on
}
@Test
public void handleWhenCsrfRequestAttributeSetThenUsed() {
willAnswer(fillByteArray()).given(this.secureRandom).nextBytes(anyByteArray());
this.handler.setSecureRandom(this.secureRandom);
this.handler.setCsrfRequestAttributeName("_csrf");
this.handler.handle(this.request, this.response, () -> this.token);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
assertThat(this.request.getAttribute("_csrf")).isNotNull();
CsrfToken csrfTokenAttribute = (CsrfToken) this.request.getAttribute("_csrf");
assertThat(csrfTokenAttribute.getToken()).isEqualTo(XOR_CSRF_TOKEN_VALUE);
}
@Test
public void handleWhenSecureRandomSetThenUsed() {
this.handler.setSecureRandom(this.secureRandom);
this.handler.handle(this.request, this.response, () -> this.token);
verify(this.secureRandom).nextBytes(anyByteArray());
verifyNoMoreInteractions(this.secureRandom);
}
@Test
public void handleWhenValidParametersThenRequestAttributesSet() {
willAnswer(fillByteArray()).given(this.secureRandom).nextBytes(anyByteArray());
this.handler.setSecureRandom(this.secureRandom);
this.handler.handle(this.request, this.response, () -> this.token);
verify(this.secureRandom).nextBytes(anyByteArray());
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
assertThat(this.request.getAttribute(this.token.getParameterName())).isNotNull();
CsrfToken csrfTokenAttribute = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
assertThat(csrfTokenAttribute.getToken()).isEqualTo(XOR_CSRF_TOKEN_VALUE);
}
@Test
public void resolveCsrfTokenValueWhenRequestIsNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> this.handler.resolveCsrfTokenValue(null, this.token))
.withMessage("request cannot be null");
}
@Test
public void resolveCsrfTokenValueWhenCsrfTokenIsNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> this.handler.resolveCsrfTokenValue(this.request, null))
.withMessage("csrfToken cannot be null");
}
@Test
public void resolveCsrfTokenValueWhenTokenNotSetThenReturnsNull() {
String tokenValue = this.handler.resolveCsrfTokenValue(this.request, this.token);
assertThat(tokenValue).isNull();
}
@Test
public void resolveCsrfTokenValueWhenParameterSetThenReturnsTokenValue() {
this.request.setParameter(this.token.getParameterName(), XOR_CSRF_TOKEN_VALUE);
String tokenValue = this.handler.resolveCsrfTokenValue(this.request, this.token);
assertThat(tokenValue).isEqualTo(this.token.getToken());
}
@Test
public void resolveCsrfTokenValueWhenHeaderSetThenReturnsTokenValue() {
this.request.addHeader(this.token.getHeaderName(), XOR_CSRF_TOKEN_VALUE);
String tokenValue = this.handler.resolveCsrfTokenValue(this.request, this.token);
assertThat(tokenValue).isEqualTo(this.token.getToken());
}
@Test
public void resolveCsrfTokenValueWhenHeaderAndParameterSetThenHeaderIsPreferred() {
this.request.addHeader(this.token.getHeaderName(), XOR_CSRF_TOKEN_VALUE);
this.request.setParameter(this.token.getParameterName(), "invalid");
String tokenValue = this.handler.resolveCsrfTokenValue(this.request, this.token);
assertThat(tokenValue).isEqualTo(this.token.getToken());
}
private static Answer<Void> fillByteArray() {
return (invocation) -> {
byte[] bytes = invocation.getArgument(0);
Arrays.fill(bytes, (byte) 1);
return null;
};
}
private static byte[] anyByteArray() {
return any(byte[].class);
}
}