You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by et...@apache.org on 2008/10/02 03:07:14 UTC
svn commit: r700978 - in /incubator/shindig/trunk/java/gadgets/src:
main/java/org/apache/shindig/gadgets/http/
main/java/org/apache/shindig/gadgets/servlet/
test/java/org/apache/shindig/gadgets/http/
test/java/org/apache/shindig/gadgets/servlet/
Author: etnu
Date: Wed Oct 1 18:07:14 2008
New Revision: 700978
URL: http://svn.apache.org/viewvc?rev=700978&view=rev
Log:
Added protection against a potential denial of service attack when external content entities (type html + href attribute) are used in a self-referncing manner.
Added:
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServletTest.java
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/HttpRequest.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServlet.java
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/http/HttpRequestTest.java
Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/HttpRequest.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/HttpRequest.java?rev=700978&r1=700977&r2=700978&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/HttpRequest.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/HttpRequest.java Wed Oct 1 18:07:14 2008
@@ -44,6 +44,8 @@
* being constructed.
*/
public class HttpRequest {
+ /** Automatically added to every request so that we know that the request came from our server. */
+ public static final String DOS_PREVENTION_HEADER = "X-shindig-dos";
static final String DEFAULT_CONTENT_TYPE = "application/x-www-form-urlencoded; charset=utf-8";
private String method = "GET";
@@ -60,7 +62,7 @@
// Whether to follow redirects
private boolean followRedirects = true;
-
+
// Context for the request.
private Uri gadget;
private String container = ContainerConfig.DEFAULT_CONTAINER;
@@ -78,6 +80,7 @@
public HttpRequest(Uri uri) {
this.uri = uri;
authType = AuthType.NONE;
+ addHeader(DOS_PREVENTION_HEADER, "on");
}
/**
@@ -236,7 +239,7 @@
this.oauthArguments = oauthArguments;
return this;
}
-
+
/**
* @param followRedirects whether this request should automatically follow redirects.
*/
@@ -386,7 +389,7 @@
public OAuthArguments getOAuthArguments() {
return oauthArguments;
}
-
+
/**
* @return true if redirects should be followed.
*/
Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServlet.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServlet.java?rev=700978&r1=700977&r2=700978&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServlet.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServlet.java Wed Oct 1 18:07:14 2008
@@ -19,6 +19,7 @@
import org.apache.shindig.common.servlet.InjectedServlet;
import org.apache.shindig.gadgets.GadgetContext;
+import org.apache.shindig.gadgets.http.HttpRequest;
import org.apache.shindig.gadgets.render.Renderer;
import org.apache.shindig.gadgets.render.RenderingResults;
@@ -42,6 +43,14 @@
}
private void render(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ if (req.getHeader(HttpRequest.DOS_PREVENTION_HEADER) != null) {
+ // Refuse to render for any request that came from us.
+ // TODO: Is this necessary for any other type of request? Rendering seems to be the only one
+ // that can potentially result in an infinite loop.
+ resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
+
GadgetContext context = new HttpGadgetContext(req);
RenderingResults results = renderer.render(context);
switch (results.getStatus()) {
Modified: incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/http/HttpRequestTest.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/http/HttpRequestTest.java?rev=700978&r1=700977&r2=700978&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/http/HttpRequestTest.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/http/HttpRequestTest.java Wed Oct 1 18:07:14 2008
@@ -20,6 +20,7 @@
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import org.apache.shindig.auth.AnonymousSecurityToken;
@@ -45,6 +46,13 @@
private static final Uri DEFAULT_URI = Uri.parse("http://example.org/");
@Test
+ public void dosPreventionHeaderAdded() {
+ HttpRequest request = new HttpRequest(DEFAULT_URI);
+ assertNotNull("DoS prevention header not present in request.",
+ request.getHeader(HttpRequest.DOS_PREVENTION_HEADER));
+ }
+
+ @Test
public void postBodyCopied() throws Exception {
HttpRequest request = new HttpRequest(DEFAULT_URI).setPostBody(POST_BODY.getBytes());
assertEquals(POST_BODY.length(), request.getPostBodyLength());
@@ -91,7 +99,7 @@
HttpRequest request = new HttpRequest(DEFAULT_URI);
assertTrue(request.getFollowRedirects());
}
-
+
@Test
public void copyCtorCopiesAllFields() {
OAuthArguments oauthArguments = new OAuthArguments();
Added: incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServletTest.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServletTest.java?rev=700978&view=auto
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServletTest.java (added)
+++ incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServletTest.java Wed Oct 1 18:07:14 2008
@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shindig.gadgets.servlet;
+
+import static org.easymock.EasyMock.expect;
+import static org.junit.Assert.assertEquals;
+
+import org.apache.shindig.gadgets.http.HttpRequest;
+
+import org.easymock.EasyMock;
+import org.easymock.IMocksControl;
+import org.junit.Test;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class GadgetRenderingServletTest {
+ private final IMocksControl control = EasyMock.createNiceControl();
+ private final HttpServletRequest request = control.createMock(HttpServletRequest.class);
+ private final HttpServletResponse response = control.createMock(HttpServletResponse.class);
+ public final HttpServletResponseRecorder recorder = new HttpServletResponseRecorder(response);
+ private final GadgetRenderingServlet servlet = new GadgetRenderingServlet();
+
+ @Test
+ public void dosHeaderRejected() throws Exception {
+ expect(request.getHeader(HttpRequest.DOS_PREVENTION_HEADER)).andReturn("foo");
+ control.replay();
+ servlet.doGet(request, recorder);
+
+ assertEquals(HttpServletResponse.SC_FORBIDDEN, recorder.getHttpStatusCode());
+ }
+}