You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by an...@apache.org on 2022/02/08 12:41:20 UTC
[sling-org-apache-sling-security] 01/01: SLING-11115 : Allow path exemptions for referrer filter
This is an automated email from the ASF dual-hosted git repository.
angela pushed a commit to branch SLING-11115
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 42a000079dc252ff5b9a4e02ddbae5418961763c
Author: angela <an...@adobe.com>
AuthorDate: Tue Feb 8 13:41:00 2022 +0100
SLING-11115 : Allow path exemptions for referrer filter
---
.../apache/sling/security/impl/ReferrerFilter.java | 36 ++++++++++-
.../sling/security/impl/ReferrerFilterTest.java | 74 +++++++++++++++-------
2 files changed, 85 insertions(+), 25 deletions(-)
diff --git a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
index f1902aa..dcb6029 100644
--- a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
+++ b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
@@ -144,6 +144,15 @@ public class ReferrerFilter implements Preprocessor {
description = "List of regexp for user agents not to check the referrer"
)
String[] exclude_agents_regexp() default {};
+
+ /**
+ * Excluded the configured paths from the referrer check
+ */
+ @AttributeDefinition(
+ name = "Exclude Paths",
+ description = "List of paths for which not to check the referrer"
+ )
+ String[] exclude_paths() default {};
}
@@ -161,9 +170,12 @@ public class ReferrerFilter implements Preprocessor {
/** Methods to be filtered. */
private final String[] filterMethods;
- /** Paths to be excluded */
+ /** User agents to be excluded */
private final Pattern[] excludedRegexUserAgents;
+ /** Paths to be excluded */
+ private final String[] excludedPaths;
+
/**
* Create a default list of referrers
*/
@@ -253,6 +265,7 @@ public class ReferrerFilter implements Preprocessor {
this.allowEmpty = config.allow_empty();
this.allowedRegexReferrers = createRegexPatterns(config.allow_hosts_regexp());
this.excludedRegexUserAgents = createRegexPatterns(config.exclude_agents_regexp());
+ this.excludedPaths = config.exclude_paths();
final Set<String> allowUriReferrers = getDefaultAllowedReferrers();
if (config.allow_hosts() != null) {
@@ -350,6 +363,11 @@ public class ReferrerFilter implements Preprocessor {
}
boolean isValidRequest(final HttpServletRequest request) {
+ // ignore referrer check if the request matches any of the configured excluded path.
+ if (isExcludedPath(request)) {
+ return true;
+ }
+
final String referrer = request.getHeader("referer");
// check for missing/empty referrer
if (referrer == null || referrer.trim().length() == 0) {
@@ -431,6 +449,22 @@ public class ReferrerFilter implements Preprocessor {
}
/**
+ * Returns <code>true</code> if the path info associated with the given request is contained in the configured excluded paths.
+ *
+ * @param request The request to check
+ * @return <code>true</code> if the path-info associate with the given request is contained in the configured excluded paths.
+ */
+ private boolean isExcludedPath(HttpServletRequest request) {
+ String path = request.getPathInfo();
+ for (final String excludedPath : this.excludedPaths) {
+ if (excludedPath.equals(path)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ /**
* Returns <code>true</code> if the provided user agent matches any present exclusion regexp pattern.
*
* @param userAgent The user agent string to check
diff --git a/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java b/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
index 0eb8fc1..cbc8e4c 100644
--- a/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
+++ b/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
@@ -16,6 +16,8 @@
*/
package org.apache.sling.security.impl;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
@@ -66,6 +68,11 @@ public class ReferrerFilterTest {
public String[] exclude_agents_regexp() {
return new String[]{"[a-zA-Z]*\\/[0-9]*\\.[0-9]*;Some-Agent\\s.*"};
}
+
+ @Override
+ public String[] exclude_paths() {
+ return new String[] {"/test_path"};
+ }
};
filter = new ReferrerFilter(config);
}
@@ -86,51 +93,70 @@ public class ReferrerFilterTest {
Assert.assertEquals("127.0.0.1", filter.getHost("http://127.0.0.1:242").host);
Assert.assertEquals("localhost", filter.getHost("http://localhost:256235/etewteq.ff").host);
Assert.assertEquals("127.0.0.1", filter.getHost("http://127.0.0.1/wetew.qerq").host);
- Assert.assertEquals(null, filter.getHost("http:/admin:admin@somehost:4343/somewhere"));
+ Assert.assertNull(filter.getHost("http:/admin:admin@somehost:4343/somewhere"));
}
- private HttpServletRequest getRequest(final String referrer, final String userAgent) {
+ private static HttpServletRequest getRequest(final String referrer, final String userAgent, final String pathInfo) {
final HttpServletRequest request = mock(HttpServletRequest.class);
when(request.getMethod()).thenReturn("POST");
- when(request.getRequestURI()).thenReturn("http://somehost/somewhere");
+ if (pathInfo != null) {
+ when(request.getRequestURI()).thenReturn("http://somehost/somewhere"+pathInfo);
+ when(request.getPathInfo()).thenReturn(pathInfo);
+ } else {
+ when(request.getRequestURI()).thenReturn("http://somehost/somewhere");
+ }
when(request.getHeader("referer")).thenReturn(referrer);
if ( userAgent != null && userAgent.length() > 0 ) {
when(request.getHeader("User-Agent")).thenReturn(userAgent);
}
return request;
}
+
+ private static HttpServletRequest getRequest(final String referrer, final String userAgent) {
+ return getRequest(referrer, userAgent, null);
+ }
- private HttpServletRequest getRequest(final String referrer) {
+ private static HttpServletRequest getRequest(final String referrer) {
return getRequest(referrer, null);
}
@Test
public void testValidRequest() {
- Assert.assertEquals(false, filter.isValidRequest(getRequest(null)));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("relative")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("/relative/too")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("/relative/but/[illegal]")));
- Assert.assertEquals(false, filter.isValidRequest(getRequest("http://somehost")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("http://localhost")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("http://127.0.0.1")));
- Assert.assertEquals(false, filter.isValidRequest(getRequest("http://somehost/but/[illegal]")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("http://relhost")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("http://relhost:9001")));
- Assert.assertEquals(false, filter.isValidRequest(getRequest("http://abshost:9001")));
- Assert.assertEquals(false, filter.isValidRequest(getRequest("https://abshost:80")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("http://abshost:80")));
- Assert.assertEquals(false, filter.isValidRequest(getRequest("http://abshost:9001")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("http://another.abshost:80")));
- Assert.assertEquals(false, filter.isValidRequest(getRequest("http://yet.another.abshost:80")));
- Assert.assertEquals(true, filter.isValidRequest(getRequest("app://yet.another.abshost:80")));
- Assert.assertEquals(false, filter.isValidRequest(getRequest("?://")));
+ assertFalse(filter.isValidRequest(getRequest(null)));
+ assertTrue(filter.isValidRequest(getRequest("relative")));
+ assertTrue(filter.isValidRequest(getRequest("/relative/too")));
+ assertTrue(filter.isValidRequest(getRequest("/relative/but/[illegal]")));
+ assertFalse(filter.isValidRequest(getRequest("http://somehost")));
+ assertTrue(filter.isValidRequest(getRequest("http://localhost")));
+ assertTrue(filter.isValidRequest(getRequest("http://127.0.0.1")));
+ assertFalse(filter.isValidRequest(getRequest("http://somehost/but/[illegal]")));
+ assertTrue(filter.isValidRequest(getRequest("http://relhost")));
+ assertTrue(filter.isValidRequest(getRequest("http://relhost:9001")));
+ assertFalse(filter.isValidRequest(getRequest("http://abshost:9001")));
+ assertFalse(filter.isValidRequest(getRequest("https://abshost:80")));
+ assertTrue(filter.isValidRequest(getRequest("http://abshost:80")));
+ assertFalse(filter.isValidRequest(getRequest("http://abshost:9001")));
+ assertTrue(filter.isValidRequest(getRequest("http://another.abshost:80")));
+ assertFalse(filter.isValidRequest(getRequest("http://yet.another.abshost:80")));
+ assertTrue(filter.isValidRequest(getRequest("app://yet.another.abshost:80")));
+ assertFalse(filter.isValidRequest(getRequest("?://")));
+ }
+
+ @Test
+ public void testExcludedPath() {
+ assertTrue(filter.isValidRequest(getRequest(null, null, "/test_path")));
+ assertFalse(filter.isValidRequest(getRequest(null, null, "/test_path/subtree")));
+ assertFalse(filter.isValidRequest(getRequest(null, null, "/test_path_sibling")));
+
+ assertTrue(filter.isValidRequest(getRequest("relative", null, "/test_path")));
+ assertTrue(filter.isValidRequest(getRequest("http://yet.another.abshost:80", null, "/test_path")));
}
@Test
public void testIsBrowserRequest() {
String userAgent = "Mozilla/5.0;Some-Agent (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko)";
- Assert.assertEquals(false, filter.isBrowserRequest(getRequest(null, userAgent)));
+ assertFalse(filter.isBrowserRequest(getRequest(null, userAgent)));
userAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko)";
- Assert.assertEquals(true, filter.isBrowserRequest(getRequest(null, userAgent)));
+ assertTrue(filter.isBrowserRequest(getRequest(null, userAgent)));
}
}