You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/03/08 15:48:41 UTC

[cxf-fediz] branch 1.4.x-fixes updated (a390914 -> 317a6f3)

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a change to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git.


    from a390914  Adding the secure processing feature in the IdP
     new 1c6ecf2  Adding further DocType test for the plugins
     new 317a6f3  Disabling test for Spring

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 .../core/processor/FederationProcessorImpl.java    |  2 +-
 .../cxf/fediz/integrationtests/Spring2Test.java    |  7 +++
 .../cxf/fediz/integrationtests/AbstractTests.java  | 53 ++++++++++++++++++++++
 .../src/test/resources/entity2.xml}                |  0
 4 files changed, 61 insertions(+), 1 deletion(-)
 copy systests/{idp/src/test/resources/entity_wreq2.xml => tests/src/test/resources/entity2.xml} (100%)

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.

[cxf-fediz] 01/02: Adding further DocType test for the plugins

Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git

commit 1c6ecf2ffdc233395b2bbaa4418f5c900d432eb1
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Mar 8 14:51:48 2018 +0000

    Adding further DocType test for the plugins
---
 .../core/processor/FederationProcessorImpl.java    |  2 +-
 .../cxf/fediz/integrationtests/AbstractTests.java  | 53 ++++++++++++++++++++++
 systests/tests/src/test/resources/entity2.xml      |  1 +
 3 files changed, 55 insertions(+), 1 deletion(-)

diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
index 5fc4893..80c3dc4 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
@@ -133,7 +133,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
         if ("RequestSecurityTokenResponseCollection".equals(el.getLocalName())) {
             el = DOMUtils.getFirstElement(el);
         }
-        if (!"RequestSecurityTokenResponse".equals(el.getLocalName())) {
+        if (el == null || !"RequestSecurityTokenResponse".equals(el.getLocalName())) {
             LOG.warn("Unexpected root element of wresult: '" + el.getLocalName() + "'");
             throw new ProcessingException(TYPE.INVALID_REQUEST);
         }
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index fa300b4..e232e4a 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -728,6 +728,59 @@ public abstract class AbstractTests {
         // webClient.close();
     }
 
+    @Test
+    public void testEntityExpansionAttack2() throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+        String user = "alice";
+        String password = "ecila";
+
+        // Get the initial token
+        CookieManager cookieManager = new CookieManager();
+        final WebClient webClient = new WebClient();
+        webClient.setCookieManager(cookieManager);
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        final HtmlPage idpPage = webClient.getPage(url);
+        webClient.getOptions().setJavaScriptEnabled(true);
+        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+        // Parse the form to get the token (wresult)
+        DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+        String entity =
+            IOUtils.toString(this.getClass().getClassLoader().getResource("entity2.xml").openStream(), "UTF-8");
+        String reference = "&m;";
+
+        for (DomElement result : results) {
+            if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+                // Now modify the Signature
+                String value = result.getAttributeNS(null, "value");
+                value = entity + value;
+                value = value.replace("alice", reference);
+                result.setAttributeNS(null, "value", value);
+            }
+        }
+
+        // Invoke back on the RP
+
+        final HtmlForm form = idpPage.getFormByName("signinresponseform");
+        final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+
+        try {
+            button.click();
+            Assert.fail("Failure expected on an entity expansion attack");
+        } catch (FailingHttpStatusCodeException ex) {
+            // expected
+            Assert.assertTrue(401 == ex.getStatusCode() || 403 == ex.getStatusCode());
+        }
+
+        webClient.close();
+    }
+
     @org.junit.Test
     public void testCSRFAttack() throws Exception {
         String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
diff --git a/systests/tests/src/test/resources/entity2.xml b/systests/tests/src/test/resources/entity2.xml
new file mode 100644
index 0000000..5a8cec5
--- /dev/null
+++ b/systests/tests/src/test/resources/entity2.xml
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE RequestSecurityTokenResponseCollection [<!ENTITY m SYSTEM "/etc/hosts">]>
\ No newline at end of file

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.

[cxf-fediz] 02/02: Disabling test for Spring

Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git

commit 317a6f3eae36d9e81959ed2c41738e3f9370db96
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Mar 8 15:48:30 2018 +0000

    Disabling test for Spring
---
 .../java/org/apache/cxf/fediz/integrationtests/Spring2Test.java    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
index 53f606c..8ccfa3c 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
@@ -251,6 +251,13 @@ public class Spring2Test extends AbstractTests {
     }
 
     @Override
+    @Test
+    @Ignore
+    public void testEntityExpansionAttack2() throws Exception {
+
+    }
+
+    @Override
     @org.junit.Test
     public void testCSRFAttack() throws Exception {
         String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.