You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2020/07/09 16:37:05 UTC

[cxf] branch master updated: Add some restrictions on the length of URLs passed through to the STS StaticService

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new bf85fd1  Add some restrictions on the length of URLs passed through to the STS StaticService
bf85fd1 is described below

commit bf85fd1ff59b0a5341554a82dd4c31a37a06e62e
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Jul 9 17:36:23 2020 +0100

    Add some restrictions on the length of URLs passed through to the STS StaticService
---
 .../cxf/common/logging/RegexLoggingFilterTest.java |  3 +-
 .../org/apache/cxf/sts/service/StaticService.java  | 24 ++++++++
 .../apache/cxf/sts/service/StaticServiceTest.java  | 68 ++++++++++++++++++++++
 3 files changed, 94 insertions(+), 1 deletion(-)

diff --git a/core/src/test/java/org/apache/cxf/common/logging/RegexLoggingFilterTest.java b/core/src/test/java/org/apache/cxf/common/logging/RegexLoggingFilterTest.java
index 330d301..f8deb4a 100644
--- a/core/src/test/java/org/apache/cxf/common/logging/RegexLoggingFilterTest.java
+++ b/core/src/test/java/org/apache/cxf/common/logging/RegexLoggingFilterTest.java
@@ -31,7 +31,8 @@ public class RegexLoggingFilterTest {
         filter.setPattern("jms(.*?)password=+([^ ]+)");
         filter.setGroup(2);
         wantFilter = filter.filter(wantFilter).toString();
-        assertEquals(wantFilter, "jms:queue:soapRequestQueue?username=admin&password=*****");
+        assertEquals(wantFilter, "jms:queue:soapRequestQueue?username=admin&password="
+            + RegexLoggingFilter.DEFAULT_REPLACEMENT);
     }
 
 }
\ No newline at end of file
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/service/StaticService.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/service/StaticService.java
index 001aff7..5a7c598 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/service/StaticService.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/service/StaticService.java
@@ -29,6 +29,7 @@ import java.util.regex.Pattern;
 import java.util.regex.PatternSyntaxException;
 
 import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.ws.security.sts.provider.STSException;
 
 /**
  * This class represents a (static) service. It can be spring-loaded with a set of Endpoint
@@ -36,10 +37,13 @@ import org.apache.cxf.common.logging.LogUtils;
  */
 public class StaticService implements ServiceMBean {
     private static final Logger LOG = LogUtils.getL7dLogger(StaticService.class);
+    // https://tools.ietf.org/html/rfc7230#section-3.1.1
+    private static final int DEFAULT_MAX_ADDRESS_LENGTH = 8000;
 
     private String tokenType;
     private String keyType;
     private EncryptionProperties encryptionProperties;
+    private int maxAddressLength = DEFAULT_MAX_ADDRESS_LENGTH;
 
     /**
      * a collection of compiled regular expression patterns
@@ -54,6 +58,9 @@ public class StaticService implements ServiceMBean {
         if (addressToMatch == null) {
             addressToMatch = "";
         }
+        if (addressToMatch.length() > maxAddressLength) {
+            throw new STSException("The address length exceeds the maximum allowable length");
+        }
         for (Pattern endpointPattern : endpointPatterns) {
             final Matcher matcher = endpointPattern.matcher(addressToMatch);
             if (matcher.matches()) {
@@ -132,4 +139,21 @@ public class StaticService implements ServiceMBean {
         LOG.fine("Setting encryption properties");
     }
 
+    /**
+     * Get the maximum allowable address length to compare against the addresses set in
+     * setEndpoints
+     * @return the maximum allowable address length
+     */
+    public int getMaxAddressLength() {
+        return maxAddressLength;
+    }
+
+    /**
+     * Set the maximum allowable address length to compare against the addresses set in
+     * setEndpoints
+     * @param maxAddressLength the maximum allowable address length
+     */
+    public void setMaxAddressLength(int maxAddressLength) {
+        this.maxAddressLength = maxAddressLength;
+    }
 }
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/service/StaticServiceTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/service/StaticServiceTest.java
new file mode 100644
index 0000000..18ac113
--- /dev/null
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/service/StaticServiceTest.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.sts.service;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.IntStream;
+
+import org.apache.cxf.ws.security.sts.provider.STSException;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class StaticServiceTest {
+
+    @org.junit.Test
+    public void testIsAddressInEndpoints() {
+        StaticService service = new StaticService();
+        List<String> endpoints =
+                Arrays.asList("https://localhost:12345/sts",
+                        "https://localhost:54321/sts2",
+                        "https://localhost:55555/sts3");
+        service.setEndpoints(endpoints);
+
+        endpoints.forEach(e -> assertTrue(service.isAddressInEndpoints(e)));
+    }
+
+    @org.junit.Test
+    public void testMaximumAllowableAddress() {
+        StaticService service = new StaticService();
+        List<String> endpoints =
+                Arrays.asList("https://localhost:12345/sts.*");
+        service.setEndpoints(endpoints);
+
+        StringBuilder sb = new StringBuilder("https://localhost:12345/sts");
+        IntStream.range(0, 1000).forEach(i -> sb.append("1"));
+
+        // This should be allowed
+        assertTrue(service.isAddressInEndpoints(sb.toString()));
+
+        IntStream.range(0, 7000).forEach(i -> sb.append("1"));
+
+        // This address is too long
+        try {
+            service.isAddressInEndpoints(sb.toString());
+            fail("Failure expected");
+        } catch (STSException ex) {
+            // expected
+        }
+    }
+
+}