You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2020/03/24 08:26:58 UTC
[cxf] 03/05: Prevent SOAPAction spoofing for RPC/Lit services
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.3.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 3e285c217b21174c8f9f37a0755d32345e134fb0
Author: Daniel Kulp <dk...@apache.org>
AuthorDate: Mon Mar 23 15:01:51 2020 -0400
Prevent SOAPAction spoofing for RPC/Lit services
(cherry picked from commit b563f7b59db5a749537d1149ff48cdbc021f54f8)
---
.../cxf/binding/soap/interceptor/Messages.properties | 1 +
.../cxf/binding/soap/interceptor/RPCInInterceptor.java | 5 +++++
.../apache/cxf/systest/jms/action/JMSSoapActionTest.java | 15 ++++++++++-----
.../java/org/apache/cxf/systest/soap/SoapActionTest.java | 1 -
4 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
index bf5622b..aea4a57 100644
--- a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
+++ b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
@@ -34,3 +34,4 @@ NO_NAMESPACE=No namespace on "{0}" element. You must send a SOAP message.
BP_2211_RPCLIT_CANNOT_BE_NULL=Cannot write part {0}. RPC/Literal parts cannot be null. (WS-I BP R2211)
UNKNOWN_RPC_LIT_PART=Found element {0} but could not find matching RPC/Literal part
SOAP_ACTION_MISMATCH=The given SOAPAction {0} does not match an operation.
+SOAP_ACTION_MISMATCH_OP=The given SOAPAction {0} does not match the received operation {1}.
\ No newline at end of file
diff --git a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java
index 78a7f29..5f281c9 100644
--- a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java
+++ b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java
@@ -30,6 +30,7 @@ import javax.xml.stream.XMLStreamConstants;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
+import org.apache.cxf.binding.soap.SoapBindingConstants;
import org.apache.cxf.binding.soap.wsdl.extensions.SoapBody;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.databinding.DataReader;
@@ -112,6 +113,10 @@ public class RPCInInterceptor extends AbstractInDatabindingInterceptor {
setMessage(message, operation);
} else {
operation = message.getExchange().getBindingOperationInfo();
+ if (!operation.getName().getLocalPart().equals(opName)) {
+ String sa = (String)message.get(SoapBindingConstants.SOAP_ACTION);
+ throw new Fault("SOAP_ACTION_MISMATCH_OP", LOG, null, sa, opName);
+ }
}
MessageInfo msg;
DataReader<XMLStreamReader> dr = getDataReader(message, XMLStreamReader.class);
diff --git a/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java b/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java
index 59c39da..c3ba953 100644
--- a/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java
+++ b/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java
@@ -43,7 +43,7 @@ import org.junit.Test;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertSame;
-
+import static org.junit.Assert.fail;
/**
* Some tests for sending a SOAP Action with JMS
@@ -108,6 +108,8 @@ public class JMSSoapActionTest extends AbstractBusClientServerTestBase {
((java.io.Closeable)greeter).close();
}
+
+
@Test
public void testSayHi2() throws Exception {
QName serviceName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldServiceSoapAction");
@@ -126,10 +128,13 @@ public class JMSSoapActionTest extends AbstractBusClientServerTestBase {
BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2"
);
- String reply = greeter.sayHi();
- assertNotNull("no response received from service", reply);
- assertEquals(response, reply);
-
+ try {
+ greeter.sayHi();
+ fail("Failure expected on spoofing attack");
+ } catch (Exception ex) {
+ // expected
+ }
+
((java.io.Closeable)greeter).close();
}
diff --git a/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java b/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java
index 3ac0fe6..7e033e2 100644
--- a/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java
+++ b/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java
@@ -343,7 +343,6 @@ public class SoapActionTest {
}
@Test
- @org.junit.Ignore // TODO
public void testRPCLitSoapActionSpoofing() throws Exception {
JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean();
pf.setServiceClass(RPCGreeter.class);