You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by an...@apache.org on 2022/02/08 12:41:19 UTC
[sling-org-apache-sling-security] branch SLING-11115 created (now 42a0000)
This is an automated email from the ASF dual-hosted git repository.
angela pushed a change to branch SLING-11115
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git.
at 42a0000 SLING-11115 : Allow path exemptions for referrer filter
This branch includes the following new commits:
new 42a0000 SLING-11115 : Allow path exemptions for referrer filter
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[sling-org-apache-sling-security] 01/01: SLING-11115 : Allow path exemptions for referrer filter
Posted by an...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
angela pushed a commit to branch SLING-11115
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 42a000079dc252ff5b9a4e02ddbae5418961763c
Author: angela <an...@adobe.com>
AuthorDate: Tue Feb 8 13:41:00 2022 +0100
SLING-11115 : Allow path exemptions for referrer filter
---
.../apache/sling/security/impl/ReferrerFilter.java | 36 ++++++++++-
.../sling/security/impl/ReferrerFilterTest.java | 74 +++++++++++++++-------
2 files changed, 85 insertions(+), 25 deletions(-)
diff --git a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
index f1902aa..dcb6029 100644
--- a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
+++ b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
@@ -144,6 +144,15 @@ public class ReferrerFilter implements Preprocessor {
description = "List of regexp for user agents not to check the referrer"
)
String[] exclude_agents_regexp() default {};
+
+ /**
+ * Excluded the configured paths from the referrer check
+ */
+ @AttributeDefinition(
+ name = "Exclude Paths",
+ description = "List of paths for which not to check the referrer"
+ )
+ String[] exclude_paths() default {};
}
@@ -161,9 +170,12 @@ public class ReferrerFilter implements Preprocessor {
/** Methods to be filtered. */
private final String[] filterMethods;
- /** Paths to be excluded */
+ /** User agents to be excluded */
private final Pattern[] excludedRegexUserAgents;
+ /** Paths to be excluded */
+ private final String[] excludedPaths;
+
/**
* Create a default list of referrers
*/
@@ -253,6 +265,7 @@ public class ReferrerFilter implements Preprocessor {
this.allowEmpty = config.allow_empty();
this.allowedRegexReferrers = createRegexPatterns(config.allow_hosts_regexp());
this.excludedRegexUserAgents = createRegexPatterns(config.exclude_agents_regexp());
+ this.excludedPaths = config.exclude_paths();
final Set<String> allowUriReferrers = getDefaultAllowedReferrers();
if (config.allow_hosts() != null) {
@@ -350,6 +363,11 @@ public class ReferrerFilter implements Preprocessor {
}
boolean isValidRequest(final HttpServletRequest request) {
+ // ignore referrer check if the request matches any of the configured excluded path.
+ if (isExcludedPath(request)) {
+ return true;
+ }
+
final String referrer = request.getHeader("referer");
// check for missing/empty referrer
if (referrer == null || referrer.trim().length() == 0) {
@@ -431,6 +449,22 @@ public class ReferrerFilter implements Preprocessor {
}
/**
+ * Returns <code>true</code> if the path info associated with the given request is contained in the configured excluded paths.
+ *
+ * @param request The request to check
+ * @return <code>true</code> if the path-info associate with the given request is contained in the configured excluded paths.
+ */
+ private boolean isExcludedPath(HttpServletRequest request) {
+ String path = request.getPathInfo();
+ for (final String excludedPath : this.excludedPaths) {
+ if (excludedPath.equals(path)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ /**
* Returns <code>true</code> if the provided user agent matches any present exclusion regexp pattern.
*
* @param userAgent The user agent string to check
diff --git a/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java b/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
index 0eb8fc1..cbc8e4c 100644
--- a/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
+++ b/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
@@ -16,6 +16,8 @@
*/
package org.apache.sling.security.impl;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
@@ -66,6 +68,11 @@ public class ReferrerFilterTest {
public String[] exclude_agents_regexp() {
return new String[]{"[a-zA-Z]*\\/[0-9]*\\.[0-9]*;Some-Agent\\s.*"};
}
+
+ @Override
+ public String[] exclude_paths() {
+ return new String[] {"/test_path"};
+ }
};
filter = new ReferrerFilter(config);
}
@@ -86,51 +93,70 @@ public class ReferrerFilterTest {
Assert.assertEquals("127.0.0.1", filter.getHost("http://127.0.0.1:242").host);
Assert.assertEquals("localhost", filter.getHost("http://localhost:256235/etewteq.ff").host);
Assert.assertEquals("127.0.0.1", filter.getHost("http://127.0.0.1/wetew.qerq").host);
- Assert.assertEquals(null, filter.getHost("http:/admin:admin@somehost:4343/somewhere"));
+ Assert.assertNull(filter.getHost("http:/admin:admin@somehost:4343/somewhere"));
}
- private HttpServletRequest getRequest(final String referrer, final String userAgent) {
+ private static HttpServletRequest getRequest(final String referrer, final String userAgent, final String pathInfo) {
final HttpServletRequest request = mock(HttpServletRequest.class);
when(request.getMethod()).thenReturn("POST");
- when(request.getRequestURI()).thenReturn("http://somehost/somewhere");
+ if (pathInfo != null) {
+ when(request.getRequestURI()).thenReturn("http://somehost/somewhere"+pathInfo);
+ when(request.getPathInfo()).thenReturn(pathInfo);
+ } else {
+ when(request.getRequestURI()).thenReturn("http://somehost/somewhere");
+ }
when(request.getHeader("referer")).thenReturn(referrer);
if ( userAgent != null && userAgent.length() > 0 ) {
when(request.getHeader("User-Agent")).thenReturn(userAgent);
}
return request;
}
+
+ private static HttpServletRequest getRequest(final String referrer, final String userAgent) {
+ return getRequest(referrer, userAgent, null);
+ }
- private HttpServletRequest getRequest(final String referrer) {
+ private static HttpServletRequest getRequest(final String referrer) {
return getRequest(referrer, null);
}
@Test
public void testValidRequest() {
- Assert.assertEquals(false, filter.isValidRequest(getRequest(null)));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("relative")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("/relative/too")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("/relative/but/[illegal]")));
- Assert.assertEquals(false, filter.isValidRequest(getRequest("http://somehost")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("http://localhost")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("http://127.0.0.1")));
- Assert.assertEquals(false, filter.isValidRequest(getRequest("http://somehost/but/[illegal]")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("http://relhost")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("http://relhost:9001")));
- Assert.assertEquals(false, filter.isValidRequest(getRequest("http://abshost:9001")));
- Assert.assertEquals(false, filter.isValidRequest(getRequest("https://abshost:80")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("http://abshost:80")));
- Assert.assertEquals(false, filter.isValidRequest(getRequest("http://abshost:9001")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("http://another.abshost:80")));
- Assert.assertEquals(false, filter.isValidRequest(getRequest("http://yet.another.abshost:80")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("app://yet.another.abshost:80")));
- Assert.assertEquals(false, filter.isValidRequest(getRequest("?://")));
+ assertFalse(filter.isValidRequest(getRequest(null)));
+ assertTrue(filter.isValidRequest(getRequest("relative")));
+ assertTrue(filter.isValidRequest(getRequest("/relative/too")));
+ assertTrue(filter.isValidRequest(getRequest("/relative/but/[illegal]")));
+ assertFalse(filter.isValidRequest(getRequest("http://somehost")));
+ assertTrue(filter.isValidRequest(getRequest("http://localhost")));
+ assertTrue(filter.isValidRequest(getRequest("http://127.0.0.1")));
+ assertFalse(filter.isValidRequest(getRequest("http://somehost/but/[illegal]")));
+ assertTrue(filter.isValidRequest(getRequest("http://relhost")));
+ assertTrue(filter.isValidRequest(getRequest("http://relhost:9001")));
+ assertFalse(filter.isValidRequest(getRequest("http://abshost:9001")));
+ assertFalse(filter.isValidRequest(getRequest("https://abshost:80")));
+ assertTrue(filter.isValidRequest(getRequest("http://abshost:80")));
+ assertFalse(filter.isValidRequest(getRequest("http://abshost:9001")));
+ assertTrue(filter.isValidRequest(getRequest("http://another.abshost:80")));
+ assertFalse(filter.isValidRequest(getRequest("http://yet.another.abshost:80")));
+ assertTrue(filter.isValidRequest(getRequest("app://yet.another.abshost:80")));
+ assertFalse(filter.isValidRequest(getRequest("?://")));
+ }
+
+ @Test
+ public void testExcludedPath() {
+ assertTrue(filter.isValidRequest(getRequest(null, null, "/test_path")));
+ assertFalse(filter.isValidRequest(getRequest(null, null, "/test_path/subtree")));
+ assertFalse(filter.isValidRequest(getRequest(null, null, "/test_path_sibling")));
+
+ assertTrue(filter.isValidRequest(getRequest("relative", null, "/test_path")));
+ assertTrue(filter.isValidRequest(getRequest("http://yet.another.abshost:80", null, "/test_path")));
}
@Test
public void testIsBrowserRequest() {
String userAgent = "Mozilla/5.0;Some-Agent (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko)";
- Assert.assertEquals(false, filter.isBrowserRequest(getRequest(null, userAgent)));
+ assertFalse(filter.isBrowserRequest(getRequest(null, userAgent)));
userAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko)";
- Assert.assertEquals(true, filter.isBrowserRequest(getRequest(null, userAgent)));
+ assertTrue(filter.isBrowserRequest(getRequest(null, userAgent)));
}
}