Add StrictHttpFirewall.allow* new lines and separators
Issue gh-11264
This commit is contained in:
@@ -440,6 +440,82 @@ public class StrictHttpFirewallTests {
|
||||
.isThrownBy(() -> this.firewall.getFirewalledRequest(this.request));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getFirewalledRequestWhenContainsLowercaseEncodedLineFeedAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedLineFeed(true);
|
||||
this.request.setRequestURI("/something%0a/");
|
||||
this.firewall.getFirewalledRequest(this.request);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getFirewalledRequestWhenContainsUppercaseEncodedLineFeedAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedLineFeed(true);
|
||||
this.request.setRequestURI("/something%0A/");
|
||||
this.firewall.getFirewalledRequest(this.request);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getFirewalledRequestWhenContainsLineFeedAndAllowedThenException() {
|
||||
this.firewall.setAllowUrlEncodedLineFeed(true);
|
||||
this.request.setRequestURI("/something\n/");
|
||||
// Expected an error because the line feed is decoded in an encoded part of the
|
||||
// URL
|
||||
assertThatExceptionOfType(RequestRejectedException.class)
|
||||
.isThrownBy(() -> this.firewall.getFirewalledRequest(this.request));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getFirewalledRequestWhenServletPathContainsLineFeedAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedLineFeed(true);
|
||||
this.request.setServletPath("/something\n/");
|
||||
this.firewall.getFirewalledRequest(this.request);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getFirewalledRequestWhenContainsLowercaseEncodedCarriageReturnAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedCarriageReturn(true);
|
||||
this.request.setRequestURI("/something%0d/");
|
||||
this.firewall.getFirewalledRequest(this.request);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getFirewalledRequestWhenContainsUppercaseEncodedCarriageReturnAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedCarriageReturn(true);
|
||||
this.request.setRequestURI("/something%0D/");
|
||||
this.firewall.getFirewalledRequest(this.request);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getFirewalledRequestWhenContainsCarriageReturnAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedCarriageReturn(true);
|
||||
this.request.setRequestURI("/something\r/");
|
||||
// Expected an error because the carriage return is decoded in an encoded part of
|
||||
// the URL
|
||||
assertThatExceptionOfType(RequestRejectedException.class)
|
||||
.isThrownBy(() -> this.firewall.getFirewalledRequest(this.request));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getFirewalledRequestWhenServletPathContainsCarriageReturnAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedCarriageReturn(true);
|
||||
this.request.setServletPath("/something\r/");
|
||||
this.firewall.getFirewalledRequest(this.request);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getFirewalledRequestWhenServletPathContainsLineSeparatorAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedLineSeparator(true);
|
||||
this.request.setServletPath("/something\u2028/");
|
||||
this.firewall.getFirewalledRequest(this.request);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getFirewalledRequestWhenServletPathContainsParagraphSeparatorAndAllowedThenNoException() {
|
||||
this.firewall.setAllowUrlEncodedParagraphSeparator(true);
|
||||
this.request.setServletPath("/something\u2029/");
|
||||
this.firewall.getFirewalledRequest(this.request);
|
||||
}
|
||||
|
||||
/**
|
||||
* On WebSphere 8.5 a URL like /context-root/a/b;%2f1/c can bypass a rule on /a/b/c
|
||||
* because the pathInfo is /a/b;/1/c which ends up being /a/b/1/c while Spring MVC
|
||||
|
||||
Reference in New Issue
Block a user