Add support for allowedHostnames in StrictHttpFirewall
Introduce a new method `setAllowedHostnames` which perform the validation against untrusted hostnames. Fixes gh-4310
This commit is contained in:
committed by
Josh Cummings
parent
a5cfd9fdb9
commit
f712c5598c
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2012-2017 the original author or authors.
|
||||
* Copyright 2012-2019 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -29,6 +29,7 @@ import org.springframework.mock.web.MockHttpServletRequest;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
* @author Eddú Meléndez
|
||||
*/
|
||||
public class StrictHttpFirewallTests {
|
||||
public String[] unnormalizedPaths = { "/..", "/./path/", "/path/path/.", "/path/path//.", "./path/../path//.",
|
||||
@@ -524,4 +525,20 @@ public class StrictHttpFirewallTests {
|
||||
this.firewall.getDecodedUrlBlacklist().removeAll(Arrays.asList("//"));
|
||||
assertThatCode(() -> this.firewall.getFirewalledRequest(request)).doesNotThrowAnyException();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getFirewalledRequestWhenTrustedDomainThenNoException() {
|
||||
this.request.addHeader("Host", "example.org");
|
||||
this.firewall.setAllowedHostnames(hostname -> hostname.equals("example.org"));
|
||||
|
||||
assertThatCode(() -> this.firewall.getFirewalledRequest(this.request)).doesNotThrowAnyException();
|
||||
}
|
||||
|
||||
@Test(expected = RequestRejectedException.class)
|
||||
public void getFirewalledRequestWhenUntrustedDomainThenException() {
|
||||
this.request.addHeader("Host", "example.org");
|
||||
this.firewall.setAllowedHostnames(hostname -> hostname.equals("myexample.org"));
|
||||
|
||||
this.firewall.getFirewalledRequest(this.request);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user