You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2022/03/30 03:55:42 UTC
[james-project] 03/06: JAMES-1862 Tests for concurrency based STARTTLS command injections
This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 99c864790ebf2ae769ba9340905f77d6a6d9a627
Author: Benoit Tellier <bt...@linagora.com>
AuthorDate: Wed Mar 16 23:40:31 2022 +0700
JAMES-1862 Tests for concurrency based STARTTLS command injections
---
.../james/imapserver/netty/IMAPServerTest.java | 84 ++++++++++++++++++----
.../src/test/resources/imapServerStartTLS.xml | 2 +-
2 files changed, 70 insertions(+), 16 deletions(-)
diff --git a/server/protocols/protocols-imap4/src/test/java/org/apache/james/imapserver/netty/IMAPServerTest.java b/server/protocols/protocols-imap4/src/test/java/org/apache/james/imapserver/netty/IMAPServerTest.java
index ee07543..e4ab6f6 100644
--- a/server/protocols/protocols-imap4/src/test/java/org/apache/james/imapserver/netty/IMAPServerTest.java
+++ b/server/protocols/protocols-imap4/src/test/java/org/apache/james/imapserver/netty/IMAPServerTest.java
@@ -63,12 +63,14 @@ import javax.net.ssl.X509TrustManager;
import org.apache.commons.configuration2.HierarchicalConfiguration;
import org.apache.commons.configuration2.ex.ConfigurationException;
import org.apache.commons.configuration2.tree.ImmutableNode;
+import org.apache.commons.io.IOUtils;
import org.apache.commons.net.imap.AuthenticatingIMAPClient;
import org.apache.commons.net.imap.IMAPReply;
import org.apache.commons.net.imap.IMAPSClient;
import org.apache.james.core.Username;
import org.apache.james.imap.encode.main.DefaultImapEncoderFactory;
import org.apache.james.imap.main.DefaultImapDecoderFactory;
+import org.apache.james.imap.processor.base.AbstractChainedProcessor;
import org.apache.james.imap.processor.main.DefaultImapProcessorFactory;
import org.apache.james.jwt.OidcTokenFixture;
import org.apache.james.mailbox.MailboxSession;
@@ -104,12 +106,17 @@ import org.junit.jupiter.api.extension.RegisterExtension;
import org.mockserver.integration.ClientAndServer;
import org.mockserver.model.HttpRequest;
import org.mockserver.model.HttpResponse;
+import org.slf4j.LoggerFactory;
import com.github.fge.lambdas.Throwing;
import com.google.common.collect.ImmutableList;
import com.sun.mail.imap.IMAPFolder;
+import ch.qos.logback.classic.Logger;
+import ch.qos.logback.classic.spi.ILoggingEvent;
+import ch.qos.logback.core.read.ListAppender;
import io.netty.buffer.Unpooled;
+import io.netty.channel.ChannelOption;
import io.netty.handler.codec.compression.JdkZlibDecoder;
import io.netty.handler.codec.compression.JdkZlibEncoder;
import io.netty.handler.codec.compression.ZlibWrapper;
@@ -421,15 +428,54 @@ class IMAPServerTest {
}
+ public static class BlindTrustManager implements X509TrustManager {
+ public X509Certificate[] getAcceptedIssuers() {
+ return null;
+ }
+
+ public void checkClientTrusted(X509Certificate[] chain, String authType) {
+
+ }
+
+ public void checkServerTrusted(X509Certificate[] chain, String authType) {
+
+
+ }
+ }
+
+ public static ListAppender<ILoggingEvent> getListAppenderForClass(Class clazz) {
+ Logger logger = (Logger) LoggerFactory.getLogger(clazz);
+
+ ListAppender<ILoggingEvent> loggingEventListAppender = new ListAppender<>();
+ loggingEventListAppender.start();
+
+ logger.addAppender(loggingEventListAppender);
+ return loggingEventListAppender;
+ }
+
+
@Nested
class StartTLS {
IMAPServer imapServer;
private int port;
+ private Connection connection;
+ private ConcurrentLinkedDeque<String> responses;
@BeforeEach
void beforeEach() throws Exception {
imapServer = createImapServer("imapServerStartTLS.xml");
port = imapServer.getListenAddresses().get(0).getPort();
+ connection = TcpClient.create()
+ .noSSL()
+ .remoteAddress(() -> new InetSocketAddress(LOCALHOST_IP, port))
+ .option(ChannelOption.TCP_NODELAY, true)
+ .connectNow();
+ responses = new ConcurrentLinkedDeque<>();
+ connection.inbound().receive().asString()
+ .doOnNext(s -> System.out.println("A: " + s))
+ .doOnNext(responses::addLast)
+ .subscribeOn(Schedulers.elastic())
+ .subscribe();
}
@AfterEach
@@ -476,6 +522,28 @@ class IMAPServerTest {
assertThat(imapCode).isEqualTo(IMAPReply.NO);
}
+
+ private void send(String format) {
+ connection.outbound()
+ .send(Mono.just(Unpooled.wrappedBuffer(format
+ .getBytes(StandardCharsets.UTF_8))))
+ .then()
+ .subscribe();
+ }
+
+ @RepeatedTest(10)
+ void concurrencyShouldNotLeadToCommandInjection() throws Exception {
+ ListAppender<ILoggingEvent> listAppender = getListAppenderForClass(AbstractChainedProcessor.class);
+
+ send("a0 STARTTLS\r\n");
+ send("a1 NOOP\r\n");
+
+ Thread.sleep(50);
+
+ assertThat(listAppender.list)
+ .filteredOn(event -> event.getFormattedMessage().contains("Processing org.apache.james.imap.message.request.NoopRequest"))
+ .isEmpty();
+ }
}
@Nested
@@ -1061,21 +1129,6 @@ class IMAPServerTest {
}
}
- public static class BlindTrustManager implements X509TrustManager {
- public X509Certificate[] getAcceptedIssuers() {
- return null;
- }
-
- public void checkClientTrusted(X509Certificate[] chain, String authType) {
-
- }
-
- public void checkServerTrusted(X509Certificate[] chain, String authType) {
-
-
- }
- }
-
@Nested
class IdleSSL {
IMAPServer imapServer;
@@ -1677,6 +1730,7 @@ class IMAPServerTest {
line.rewind();
byte[] bline = new byte[line.remaining()];
line.get(bline);
+ System.out.println("O: " + IOUtils.toString(bline));
return bline;
}
diff --git a/server/protocols/protocols-imap4/src/test/resources/imapServerStartTLS.xml b/server/protocols/protocols-imap4/src/test/resources/imapServerStartTLS.xml
index 127dfb9..c2b8eb8 100644
--- a/server/protocols/protocols-imap4/src/test/resources/imapServerStartTLS.xml
+++ b/server/protocols/protocols-imap4/src/test/resources/imapServerStartTLS.xml
@@ -1,7 +1,7 @@
<imapserver enabled="true">
<jmxName>imapserver</jmxName>
<bind>0.0.0.0:0</bind>
- <tls socketTLS="false" startTLS="false">
+ <tls socketTLS="false" startTLS="true">
<keystore>classpath://keystore</keystore>
<secret>james72laBalle</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org