You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/03/08 15:48:41 UTC
[cxf-fediz] branch 1.4.x-fixes updated (a390914 -> 317a6f3)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git.
from a390914 Adding the secure processing feature in the IdP
new 1c6ecf2 Adding further DocType test for the plugins
new 317a6f3 Disabling test for Spring
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../core/processor/FederationProcessorImpl.java | 2 +-
.../cxf/fediz/integrationtests/Spring2Test.java | 7 +++
.../cxf/fediz/integrationtests/AbstractTests.java | 53 ++++++++++++++++++++++
.../src/test/resources/entity2.xml} | 0
4 files changed, 61 insertions(+), 1 deletion(-)
copy systests/{idp/src/test/resources/entity_wreq2.xml => tests/src/test/resources/entity2.xml} (100%)
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.
[cxf-fediz] 01/02: Adding further DocType test for the plugins
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
commit 1c6ecf2ffdc233395b2bbaa4418f5c900d432eb1
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Mar 8 14:51:48 2018 +0000
Adding further DocType test for the plugins
---
.../core/processor/FederationProcessorImpl.java | 2 +-
.../cxf/fediz/integrationtests/AbstractTests.java | 53 ++++++++++++++++++++++
systests/tests/src/test/resources/entity2.xml | 1 +
3 files changed, 55 insertions(+), 1 deletion(-)
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
index 5fc4893..80c3dc4 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
@@ -133,7 +133,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
if ("RequestSecurityTokenResponseCollection".equals(el.getLocalName())) {
el = DOMUtils.getFirstElement(el);
}
- if (!"RequestSecurityTokenResponse".equals(el.getLocalName())) {
+ if (el == null || !"RequestSecurityTokenResponse".equals(el.getLocalName())) {
LOG.warn("Unexpected root element of wresult: '" + el.getLocalName() + "'");
throw new ProcessingException(TYPE.INVALID_REQUEST);
}
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index fa300b4..e232e4a 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -728,6 +728,59 @@ public abstract class AbstractTests {
// webClient.close();
}
+ @Test
+ public void testEntityExpansionAttack2() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ String user = "alice";
+ String password = "ecila";
+
+ // Get the initial token
+ CookieManager cookieManager = new CookieManager();
+ final WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ final HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ // Parse the form to get the token (wresult)
+ DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+ String entity =
+ IOUtils.toString(this.getClass().getClassLoader().getResource("entity2.xml").openStream(), "UTF-8");
+ String reference = "&m;";
+
+ for (DomElement result : results) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ // Now modify the Signature
+ String value = result.getAttributeNS(null, "value");
+ value = entity + value;
+ value = value.replace("alice", reference);
+ result.setAttributeNS(null, "value", value);
+ }
+ }
+
+ // Invoke back on the RP
+
+ final HtmlForm form = idpPage.getFormByName("signinresponseform");
+ final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+
+ try {
+ button.click();
+ Assert.fail("Failure expected on an entity expansion attack");
+ } catch (FailingHttpStatusCodeException ex) {
+ // expected
+ Assert.assertTrue(401 == ex.getStatusCode() || 403 == ex.getStatusCode());
+ }
+
+ webClient.close();
+ }
+
@org.junit.Test
public void testCSRFAttack() throws Exception {
String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
diff --git a/systests/tests/src/test/resources/entity2.xml b/systests/tests/src/test/resources/entity2.xml
new file mode 100644
index 0000000..5a8cec5
--- /dev/null
+++ b/systests/tests/src/test/resources/entity2.xml
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE RequestSecurityTokenResponseCollection [<!ENTITY m SYSTEM "/etc/hosts">]>
\ No newline at end of file
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.
[cxf-fediz] 02/02: Disabling test for Spring
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
commit 317a6f3eae36d9e81959ed2c41738e3f9370db96
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Mar 8 15:48:30 2018 +0000
Disabling test for Spring
---
.../java/org/apache/cxf/fediz/integrationtests/Spring2Test.java | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
index 53f606c..8ccfa3c 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
@@ -251,6 +251,13 @@ public class Spring2Test extends AbstractTests {
}
@Override
+ @Test
+ @Ignore
+ public void testEntityExpansionAttack2() throws Exception {
+
+ }
+
+ @Override
@org.junit.Test
public void testCSRFAttack() throws Exception {
String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.