You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2020/07/09 16:37:05 UTC
[cxf] branch master updated: Add some restrictions on the length of
URLs passed through to the STS StaticService
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push:
new bf85fd1 Add some restrictions on the length of URLs passed through to the STS StaticService
bf85fd1 is described below
commit bf85fd1ff59b0a5341554a82dd4c31a37a06e62e
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Jul 9 17:36:23 2020 +0100
Add some restrictions on the length of URLs passed through to the STS StaticService
---
.../cxf/common/logging/RegexLoggingFilterTest.java | 3 +-
.../org/apache/cxf/sts/service/StaticService.java | 24 ++++++++
.../apache/cxf/sts/service/StaticServiceTest.java | 68 ++++++++++++++++++++++
3 files changed, 94 insertions(+), 1 deletion(-)
diff --git a/core/src/test/java/org/apache/cxf/common/logging/RegexLoggingFilterTest.java b/core/src/test/java/org/apache/cxf/common/logging/RegexLoggingFilterTest.java
index 330d301..f8deb4a 100644
--- a/core/src/test/java/org/apache/cxf/common/logging/RegexLoggingFilterTest.java
+++ b/core/src/test/java/org/apache/cxf/common/logging/RegexLoggingFilterTest.java
@@ -31,7 +31,8 @@ public class RegexLoggingFilterTest {
filter.setPattern("jms(.*?)password=+([^ ]+)");
filter.setGroup(2);
wantFilter = filter.filter(wantFilter).toString();
- assertEquals(wantFilter, "jms:queue:soapRequestQueue?username=admin&password=*****");
+ assertEquals(wantFilter, "jms:queue:soapRequestQueue?username=admin&password="
+ + RegexLoggingFilter.DEFAULT_REPLACEMENT);
}
}
\ No newline at end of file
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/service/StaticService.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/service/StaticService.java
index 001aff7..5a7c598 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/service/StaticService.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/service/StaticService.java
@@ -29,6 +29,7 @@ import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.ws.security.sts.provider.STSException;
/**
* This class represents a (static) service. It can be spring-loaded with a set of Endpoint
@@ -36,10 +37,13 @@ import org.apache.cxf.common.logging.LogUtils;
*/
public class StaticService implements ServiceMBean {
private static final Logger LOG = LogUtils.getL7dLogger(StaticService.class);
+ // https://tools.ietf.org/html/rfc7230#section-3.1.1
+ private static final int DEFAULT_MAX_ADDRESS_LENGTH = 8000;
private String tokenType;
private String keyType;
private EncryptionProperties encryptionProperties;
+ private int maxAddressLength = DEFAULT_MAX_ADDRESS_LENGTH;
/**
* a collection of compiled regular expression patterns
@@ -54,6 +58,9 @@ public class StaticService implements ServiceMBean {
if (addressToMatch == null) {
addressToMatch = "";
}
+ if (addressToMatch.length() > maxAddressLength) {
+ throw new STSException("The address length exceeds the maximum allowable length");
+ }
for (Pattern endpointPattern : endpointPatterns) {
final Matcher matcher = endpointPattern.matcher(addressToMatch);
if (matcher.matches()) {
@@ -132,4 +139,21 @@ public class StaticService implements ServiceMBean {
LOG.fine("Setting encryption properties");
}
+ /**
+ * Get the maximum allowable address length to compare against the addresses set in
+ * setEndpoints
+ * @return the maximum allowable address length
+ */
+ public int getMaxAddressLength() {
+ return maxAddressLength;
+ }
+
+ /**
+ * Set the maximum allowable address length to compare against the addresses set in
+ * setEndpoints
+ * @param maxAddressLength the maximum allowable address length
+ */
+ public void setMaxAddressLength(int maxAddressLength) {
+ this.maxAddressLength = maxAddressLength;
+ }
}
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/service/StaticServiceTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/service/StaticServiceTest.java
new file mode 100644
index 0000000..18ac113
--- /dev/null
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/service/StaticServiceTest.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.sts.service;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.IntStream;
+
+import org.apache.cxf.ws.security.sts.provider.STSException;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class StaticServiceTest {
+
+ @org.junit.Test
+ public void testIsAddressInEndpoints() {
+ StaticService service = new StaticService();
+ List<String> endpoints =
+ Arrays.asList("https://localhost:12345/sts",
+ "https://localhost:54321/sts2",
+ "https://localhost:55555/sts3");
+ service.setEndpoints(endpoints);
+
+ endpoints.forEach(e -> assertTrue(service.isAddressInEndpoints(e)));
+ }
+
+ @org.junit.Test
+ public void testMaximumAllowableAddress() {
+ StaticService service = new StaticService();
+ List<String> endpoints =
+ Arrays.asList("https://localhost:12345/sts.*");
+ service.setEndpoints(endpoints);
+
+ StringBuilder sb = new StringBuilder("https://localhost:12345/sts");
+ IntStream.range(0, 1000).forEach(i -> sb.append("1"));
+
+ // This should be allowed
+ assertTrue(service.isAddressInEndpoints(sb.toString()));
+
+ IntStream.range(0, 7000).forEach(i -> sb.append("1"));
+
+ // This address is too long
+ try {
+ service.isAddressInEndpoints(sb.toString());
+ fail("Failure expected");
+ } catch (STSException ex) {
+ // expected
+ }
+ }
+
+}