You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2020/03/24 08:26:58 UTC

[cxf] 03/05: Prevent SOAPAction spoofing for RPC/Lit services

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.3.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 3e285c217b21174c8f9f37a0755d32345e134fb0
Author: Daniel Kulp <dk...@apache.org>
AuthorDate: Mon Mar 23 15:01:51 2020 -0400

    Prevent SOAPAction spoofing for RPC/Lit services
    
    (cherry picked from commit b563f7b59db5a749537d1149ff48cdbc021f54f8)
---
 .../cxf/binding/soap/interceptor/Messages.properties      |  1 +
 .../cxf/binding/soap/interceptor/RPCInInterceptor.java    |  5 +++++
 .../apache/cxf/systest/jms/action/JMSSoapActionTest.java  | 15 ++++++++++-----
 .../java/org/apache/cxf/systest/soap/SoapActionTest.java  |  1 -
 4 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
index bf5622b..aea4a57 100644
--- a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
+++ b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
@@ -34,3 +34,4 @@ NO_NAMESPACE=No namespace on "{0}" element. You must send a SOAP message.
 BP_2211_RPCLIT_CANNOT_BE_NULL=Cannot write part {0}. RPC/Literal parts cannot be null. (WS-I BP R2211)
 UNKNOWN_RPC_LIT_PART=Found element {0} but could not find matching RPC/Literal part
 SOAP_ACTION_MISMATCH=The given SOAPAction {0} does not match an operation.
+SOAP_ACTION_MISMATCH_OP=The given SOAPAction {0} does not match the received operation {1}.
\ No newline at end of file
diff --git a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java
index 78a7f29..5f281c9 100644
--- a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java
+++ b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java
@@ -30,6 +30,7 @@ import javax.xml.stream.XMLStreamConstants;
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.XMLStreamReader;
 
+import org.apache.cxf.binding.soap.SoapBindingConstants;
 import org.apache.cxf.binding.soap.wsdl.extensions.SoapBody;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.databinding.DataReader;
@@ -112,6 +113,10 @@ public class RPCInInterceptor extends AbstractInDatabindingInterceptor {
             setMessage(message, operation);
         } else {
             operation = message.getExchange().getBindingOperationInfo();
+            if (!operation.getName().getLocalPart().equals(opName)) {
+                String sa = (String)message.get(SoapBindingConstants.SOAP_ACTION);
+                throw new Fault("SOAP_ACTION_MISMATCH_OP", LOG, null, sa, opName);
+            }
         }
         MessageInfo msg;
         DataReader<XMLStreamReader> dr = getDataReader(message, XMLStreamReader.class);
diff --git a/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java b/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java
index 59c39da..c3ba953 100644
--- a/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java
+++ b/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java
@@ -43,7 +43,7 @@ import org.junit.Test;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertSame;
-
+import static org.junit.Assert.fail;
 
 /**
  * Some tests for sending a SOAP Action with JMS
@@ -108,6 +108,8 @@ public class JMSSoapActionTest extends AbstractBusClientServerTestBase {
         ((java.io.Closeable)greeter).close();
     }
 
+    
+    
     @Test
     public void testSayHi2() throws Exception {
         QName serviceName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldServiceSoapAction");
@@ -126,10 +128,13 @@ public class JMSSoapActionTest extends AbstractBusClientServerTestBase {
             BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2"
         );
 
-        String reply = greeter.sayHi();
-        assertNotNull("no response received from service", reply);
-        assertEquals(response, reply);
-
+        try {
+            greeter.sayHi();
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+            
         ((java.io.Closeable)greeter).close();
     }
 
diff --git a/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java b/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java
index 3ac0fe6..7e033e2 100644
--- a/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java
+++ b/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java
@@ -343,7 +343,6 @@ public class SoapActionTest {
     }
 
     @Test
-    @org.junit.Ignore  // TODO
     public void testRPCLitSoapActionSpoofing() throws Exception {
         JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean();
         pf.setServiceClass(RPCGreeter.class);