diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2020-08-31 10:22:11 +0200 |
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2020-08-31 10:22:11 +0200 |
| commit | e10256fe93208ef786d2e38a68a98e2548d501ee (patch) | |
| tree | a5c1c97936cdd635db7a24164f796be6be5413ee | |
| parent | c4633dffe99d4cc41e25fe165b6b8b5013ea34bd (diff) | |
| download | moa-id-spss-e10256fe93208ef786d2e38a68a98e2548d501ee.tar.gz moa-id-spss-e10256fe93208ef786d2e38a68a98e2548d501ee.tar.bz2 moa-id-spss-e10256fe93208ef786d2e38a68a98e2548d501ee.zip | |
fix SSRF bug in SAML1 parameter validator
8 files changed, 739 insertions, 77 deletions
diff --git a/id/server/data/deploy/conf/moa-id/moa-id.properties b/id/server/data/deploy/conf/moa-id/moa-id.properties index beeab5375..ba883d1a1 100644 --- a/id/server/data/deploy/conf/moa-id/moa-id.properties +++ b/id/server/data/deploy/conf/moa-id/moa-id.properties @@ -19,7 +19,8 @@ configuration.moaconfig.key=ConfigurationEncryptionKey configuration.ssl.validation.revocation.method.order=ocsp,crl general.moaidmode.active=true #configuration.ssl.validation.hostname=false -#configuration.validate.authblock.targetfriendlyname=true< +#configuration.validate.authblock.targetfriendlyname=true +#configuration.validate.saml1.parameter.strict=true #MOA-ID 3.x Monitoring Servlet diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html index 9a90d1c49..62bde84bc 100644 --- a/id/server/doc/handbook/config/config.html +++ b/id/server/doc/handbook/config/config.html @@ -432,6 +432,13 @@ UNIX: moa.id.configuration=file:C:/Programme/apache/tomcat-8.x.x/conf/moa-id/moa <p><strong>Hinweis: </strong>Workaround, da der httpClient der openSAML2 Implementierung kein SNI (Server Name Indication) unterstützt.</p></td> </tr> <tr> + <td>configuration.validate.saml1.parameter.strict</td> + <td>true / false</td> + <td><p>Aktiviert oder deaktiviert die strikte Validierung von SecurityLayer Template URLs welche via HTTP Parameter "template" (siehe <a href="../protocol/protocol.html#saml1_startauth">SAML1 Protokoll)</a> angegeben werden können. Wenn dieser Parameter aktiviert (<em>true</em>) sind ausschließlich Tempalte URLs erlaubt die entweder in <a href="#konfigurationsparameter_allgemein_sl-templates">Allgemeinen Konfiguration</a> oder in der <a href="#konfigurationsparameter_oa_bku">jeweiligen SP Konfiguration</a> konfiguriert sind. Ist die strikte Validierung deaktiviert (<em>false</em>) sind zusätzlich alle Template URLs erlaubut welche vom selben Host liegen wie die MOA-ID Instanz. </p> + <p> </p> + <p><strong>Defaultwert:</strong> false</p></td> + </tr> + <tr> <td>configuration.validate.authblock.targetfriendlyname</td> <td>true / false</td> <td>Hiermit kann die Überprüfung des 'TargetFriendlyName', welcher Teil des vom Benutzer signierten Authblock ist, deaktiviert werden. Eine Deaktivierung hat keinen Einfluss auf die Sicherheit des Authentifizierungsvorgangs mittels qualifizierter Signatur, jedoch kann der 'TargetFriendlyName im Authblock nicht als gesichert betrachtet werden.' Die Validierung ist deaktiviert wenn der Parameter auf <code>false</code> gesetzt wird.<br> diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index ead80b117..03fd225e0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -42,6 +42,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; +import at.gv.egovernment.moa.id.config.auth.PropertyBasedAuthConfigurationProvider; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -182,14 +183,14 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ List<String> defaulTemplateURLList = authConfig.getSLRequestTemplates(); - if ( templateURLList != null && templateURLList.size() > 0 + if ( templateURLList != null && !templateURLList.isEmpty() && MiscUtil.isNotEmpty(templateURLList.get(0)) ) { templateURL = FileUtils.makeAbsoluteURL( oaParam.getTemplateURL().get(0), authConfig.getRootConfigFileDir()); Logger.info("No SL-Template in request, load SL-Template from OA configuration (URL: " + templateURL + ")"); - } else if ( (defaulTemplateURLList.size() > 0) && MiscUtil.isNotEmpty(defaulTemplateURLList.get(0))) { + } else if ( !defaulTemplateURLList.isEmpty() && MiscUtil.isNotEmpty(defaulTemplateURLList.get(0))) { templateURL = FileUtils.makeAbsoluteURL( defaulTemplateURLList.get(0), authConfig.getRootConfigFileDir()); @@ -203,8 +204,13 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ } - if (!ParamValidatorUtils.isValidTemplate(req, templateURL, oaParam.getTemplateURL())) + if (!ParamValidatorUtils.isValidTemplate(req, templateURL, oaParam.getTemplateURL(), + authConfig.getBasicConfigurationBoolean( + PropertyBasedAuthConfigurationProvider.PROP_STRICT_SAML1_PARAM_VALIDATION, + false))) { throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); + + } protocolReq.setRawDataToTransaction( MOAIDAuthConstants.AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java index 94bcae672..cf3e0efd7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java @@ -57,4 +57,19 @@ public class AuthConfigurationProviderFactory { return instance; } + + /** + * Set AuthConfig programmatically + * + * @param authConfig + */ + public static void setAuthConfig(AuthConfiguration authConfig) { + if (instance != null) { + throw new RuntimeException("AuthConfig can ONLY set once!"); + + } + + instance = authConfig; + + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java index f299e0e94..1ffdaa524 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java @@ -52,6 +52,8 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide public static final String PROP_MOAID_MODE = "general.moaidmode.active"; + public static final String PROP_STRICT_SAML1_PARAM_VALIDATION = + "configuration.validate.saml1.parameter.strict"; private static final boolean TRUST_MANAGER_REVOCATION_CHECKING_DEFAULT = true; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index a44d8c1b6..065615666 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -220,11 +220,11 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ }
// check if template is a valid URL
- try {
+ try {
+ URL bkuUrl = new URL(bkuURI);
// check if bku url starts with http or https
- if (bkuURI.startsWith("http") || bkuURI.startsWith("https")) {
- new URL(bkuURI);
-
+ if (bkuUrl.getProtocol().equals("http") || bkuUrl.getProtocol().equals("https")) {
+
// check if bkuURI is a local BKU
if (bkuURI.compareToIgnoreCase("https://localhost:3496/https-security-layer-request") == 0 ||
bkuURI.compareToIgnoreCase("http://localhost:3495/http-security-layer-request") == 0 ||
@@ -232,8 +232,8 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ bkuURI.compareToIgnoreCase("https://127.0.0.1:3496/https-security-layer-request") == 0) {
Logger.debug("Parameter bkuURI erfolgreich ueberprueft");
return true;
- }
- else {
+
+ } else {
Logger.debug("Parameter bkuURI ist keine lokale BKU. Ueberpruefe Liste der vertrauenswuerdigen BKUs.");
boolean b = allowedBKUs.contains(bkuURI);
if (b) {
@@ -246,17 +246,17 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ return false;
}
}
- }
- else if (MOAIDAuthConstants.REQ_BKU_TYPES.contains(bkuURI)) {
+
+ } else if (MOAIDAuthConstants.REQ_BKU_TYPES.contains(bkuURI)) {
Logger.debug("Parameter bkuURI from configuration is used.");
return true;
} else {
Logger.error("Fehler Ueberpruefung Parameter bkuURI. bkuURI beginnt nicht mit http or https");
return false;
+
}
-
} catch (MalformedURLException e) {
Logger.error("Fehler Ueberpruefung Parameter bkuURI", e);
return false;
@@ -268,9 +268,12 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ * Checks if the given template is valid
* @param req
* @param template
+ * @param oaSlTemplates
+ * @param useStrictValidation Enables strict validation with URLs from configuration, otherwise always allow templates from same host.
* @return
*/
- public static boolean isValidTemplate(HttpServletRequest req, String template, List<String> oaSlTemplates) {
+ public static boolean isValidTemplate(HttpServletRequest req, String template,
+ List<String> oaSlTemplates, boolean useStrictValidation) {
Logger.debug("Ueberpruefe Parameter Template bzw. bkuSelectionTemplateURL");
@@ -282,65 +285,38 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ // check if template is a valid URL
try {
-
- // check if template url starts with http or https
- if (template.startsWith("http") || template.startsWith("https")) {
-
- // check if template url is from same server
- String name = req.getServerName();
- String httpName = "http://" + name;
- String httpsName = "https://" + name;
-
- if (template.startsWith(httpName) || template.startsWith(httpsName)) {
- new URL(template);
- Logger.debug("Parameter Template bzw. bkuSelectionTemplateURL erfolgreich ueberprueft");
- return true;
- }
- else {
- //check against configured trustet template urls
- AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance();
- List<String> trustedTemplateURLs = authConf.getSLRequestTemplates();
-
- //get OA specific template URLs
- if (oaSlTemplates != null && oaSlTemplates.size() > 0) {
- for (String el : oaSlTemplates)
- if (MiscUtil.isNotEmpty(el))
- trustedTemplateURLs.add(el);
- }
-
- boolean b = trustedTemplateURLs.contains(template);
- if (b) {
- Logger.debug("Parameter Template erfolgreich ueberprueft");
- return true;
- }
- else {
- Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. Parameter liegt nicht am gleichen Server wie die MOA-Instanz (" + req.getServerName() + ") bzw. ist nicht auf Liste der vertrauenswuerdigen Template URLs (Konfigurationselement: MOA-IDConfiguration/TrustedTemplateURLs)");
- return false;
- }
-
- }
-
- } else if (template.startsWith("file")){
- new URL(template);
- Logger.debug("Parameter Template bzw. bkuSelectionTemplateURL erfolgreich ueberprueft");
- Logger.debug("Load SL-Layer Template from local filesystem " + template);
- return true;
-
- } else {
- Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. Paramter beginnt nicht mit http oder https.");
- return false;
- }
+ if (useStrictValidation) {
+ Logger.trace("Use strict validation of Template bzw. bkuSelectionTemplateURL");
+ return validateTemplateUrlToWhiteList(template, oaSlTemplates);
+
+ } else {
+ Logger.trace("Use lazy validation of Template bzw. bkuSelectionTemplateURL");
+ URL templateUrl = new URL(template);
+ String serverName = req.getServerName();
+
+ // check if template url starts with http or https
+ if (((templateUrl.getProtocol().startsWith("http")
+ || templateUrl.getProtocol().startsWith("https")))
+ && templateUrl.getHost().equals(serverName)) {
+ Logger.debug("Parameter Template bzw. bkuSelectionTemplateURL erfolgreich ueberprueft"
+ + " Lazy check is activ and template is on same host as MOA-ID");
+ return true;
+
+
+ } else {
+ return validateTemplateUrlToWhiteList(template, oaSlTemplates);
+
+ }
+ }
- } catch (MalformedURLException e) {
+ } catch (MalformedURLException | ConfigurationException e) {
Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL.", e);
return false;
- } catch (ConfigurationException e) {
- Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL.", e);
- return false;
- }
+
+ }
}
- /**
+ /**
* Checks if the given sessionID is valid
* @param target HTTP parameter from request
* @return
@@ -540,13 +516,44 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ } catch (WrongParametersException e) {
return false;
+
}
- if (StringUtils.isEmpty(bkuURL) && StringUtils.isEmpty(useeIDAS))
+ if (StringUtils.isEmpty(bkuURL) && StringUtils.isEmpty(useeIDAS)) {
return false;
- else
+
+ } else {
return true;
+
+ }
}
+
+ private static boolean validateTemplateUrlToWhiteList(String template, List<String> oaSlTemplates)
+ throws ConfigurationException {
+ //check against configured trustet template urls
+ AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance();
+ List<String> trustedTemplateURLs = authConf.getSLRequestTemplates();
+
+ //get OA specific template URLs
+ if (oaSlTemplates != null && oaSlTemplates.size() > 0) {
+ for (String el : oaSlTemplates)
+ if (MiscUtil.isNotEmpty(el))
+ trustedTemplateURLs.add(el);
+ }
+
+ boolean b = trustedTemplateURLs.contains(template);
+ if (b) {
+ Logger.debug("Parameter Template erfolgreich ueberprueft");
+ return true;
+
+ } else {
+ Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. "
+ + "Parameter ist nicht auf Liste der vertrauenswuerdigen Template URLs "
+ + "(Konfigurationselement: MOA-IDConfiguration/TrustedTemplateURLs)");
+ return false;
+
+ }
+ }
}
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java index 1ab54471c..7707f3b90 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java @@ -26,6 +26,9 @@ public class DummyAuthConfig implements AuthConfiguration { private Boolean isIDLEscapingEnabled = null; + private Map<String, String> basicConfig = new HashMap<>(); + private List<String> slRequestTemplates; + @Override public String getRootConfigFileDir() { // TODO Auto-generated method stub @@ -100,7 +103,10 @@ public class DummyAuthConfig implements AuthConfiguration { } else if (UserRestrictionTask.CONFIG_PROPS_CSV_USER_SECTOR.equals(key)) { return "urn:publicid:gv.at:cdid+ZP-MH"; - } + } else if (basicConfig.containsKey(key)) { + return basicConfig.get(key); + + } return null; @@ -108,8 +114,13 @@ public class DummyAuthConfig implements AuthConfiguration { @Override public String getBasicConfiguration(String key, String defaultValue) { - // TODO Auto-generated method stub - return null; + if (basicConfig.containsKey(key)) { + return basicConfig.get(key); + + } else { + return defaultValue; + + } } @Override @@ -235,8 +246,8 @@ public class DummyAuthConfig implements AuthConfiguration { @Override public List<String> getSLRequestTemplates() throws ConfigurationException { - // TODO Auto-generated method stub - return null; + return slRequestTemplates; + } @Override @@ -428,8 +439,14 @@ public class DummyAuthConfig implements AuthConfiguration { } + if (basicConfig.containsKey(key)) { + return Boolean.parseBoolean(basicConfig.get(key)); + + } else { + return defaultValue; + + } - return false; } @Override @@ -462,8 +479,27 @@ public class DummyAuthConfig implements AuthConfiguration { @Override public Boolean getBasicConfigurationBoolean(String key) { - // TODO Auto-generated method stub + if (basicConfig.containsKey(key)) { + return Boolean.parseBoolean(basicConfig.get(key)); + + } + return null; } + public void putIntoBasicConfig(String key, String value) { + basicConfig.put(key, value); + + } + + public void removeFromBasicConfig(String key) { + basicConfig.remove(key); + + } + + public void setSlRequestTemplateUrls(List<String> templates) { + slRequestTemplates = templates; + + } + } diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java new file mode 100644 index 000000000..ad9e2c90e --- /dev/null +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java @@ -0,0 +1,588 @@ +package test.at.gv.egovernment.moa.id.util; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.security.Principal; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.Enumeration; +import java.util.List; +import java.util.Locale; +import java.util.Map; + +import javax.servlet.AsyncContext; +import javax.servlet.DispatcherType; +import javax.servlet.RequestDispatcher; +import javax.servlet.ServletContext; +import javax.servlet.ServletException; +import javax.servlet.ServletInputStream; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import javax.servlet.http.Part; + +import org.junit.Assert; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.BlockJUnit4ClassRunner; + +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.data.DummyAuthConfig; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; + +@RunWith(BlockJUnit4ClassRunner.class) +public class ParamValidatorUtilsTest { + + private static DummyAuthConfig config; + + @BeforeClass + public static void classInitializer() { + config = new DummyAuthConfig(); + AuthConfigurationProviderFactory.setAuthConfig(config); + config.setSlRequestTemplateUrls(new ArrayList<String>()); + + } + + @Test + public void templateStrictWhitelistFirst() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "https://aaaa.com/bbbb"; + List<String> oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true)); + + } + + @Test + public void templateStrictWhitelistSecond() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file://aaaa.com/ccc"; + List<String> oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertFalse("Template should NOT be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true)); + + } + + @Test + public void templateLazyWhitelistFirst() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "https://aaaa.com/bbbb"; + List<String> oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistSecond() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file://aaaa.com/ccc"; + List<String> oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertFalse("Template should NOT be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistThird() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "https://aaaa.com/ccc"; + List<String> oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertFalse("Template should NOT be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistFour() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "http://aaaa.com/ccc"; + List<String> oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertFalse("Template should NOT be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistFife() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "http://junit.com/ccc"; + List<String> oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistSix() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "https://junit.com/ccc"; + List<String> oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistSeven() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file://junit.com/ccc"; + List<String> oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertFalse("Template should Not be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + private HttpServletRequest getDummyHttpRequest(final String serverName) { + return new HttpServletRequest() { + + @Override + public AsyncContext startAsync(ServletRequest servletRequest, ServletResponse servletResponse) + throws IllegalStateException { + // TODO Auto-generated method stub + return null; + } + + @Override + public AsyncContext startAsync() throws IllegalStateException { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setCharacterEncoding(String env) throws UnsupportedEncodingException { + // TODO Auto-generated method stub + + } + + @Override + public void setAttribute(String name, Object o) { + // TODO Auto-generated method stub + + } + + @Override + public void removeAttribute(String name) { + // TODO Auto-generated method stub + + } + + @Override + public boolean isSecure() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isAsyncSupported() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isAsyncStarted() { + // TODO Auto-generated method stub + return false; + } + + @Override + public ServletContext getServletContext() { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getServerPort() { + // TODO Auto-generated method stub + return 0; + } + + @Override + public String getServerName() { + return serverName; + + } + + @Override + public String getScheme() { + // TODO Auto-generated method stub + return null; + } + + @Override + public RequestDispatcher getRequestDispatcher(String path) { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getRemotePort() { + // TODO Auto-generated method stub + return 0; + } + + @Override + public String getRemoteHost() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getRemoteAddr() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getRealPath(String path) { + // TODO Auto-generated method stub + return null; + } + + @Override + public BufferedReader getReader() throws IOException { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getProtocol() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String[] getParameterValues(String name) { + // TODO Auto-generated method stub + return null; + } + + @Override + public Enumeration<String> getParameterNames() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Map<String, String[]> getParameterMap() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getParameter(String name) { + // TODO Auto-generated method stub + return null; + } + + @Override + public Enumeration<Locale> getLocales() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Locale getLocale() { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getLocalPort() { + // TODO Auto-generated method stub + return 0; + } + + @Override + public String getLocalName() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getLocalAddr() { + // TODO Auto-generated method stub + return null; + } + + @Override + public ServletInputStream getInputStream() throws IOException { + // TODO Auto-generated method stub + return null; + } + + @Override + public DispatcherType getDispatcherType() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getContentType() { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getContentLength() { + // TODO Auto-generated method stub + return 0; + } + + @Override + public String getCharacterEncoding() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Enumeration<String> getAttributeNames() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Object getAttribute(String name) { + // TODO Auto-generated method stub + return null; + } + + @Override + public AsyncContext getAsyncContext() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void logout() throws ServletException { + // TODO Auto-generated method stub + + } + + @Override + public void login(String username, String password) throws ServletException { + // TODO Auto-generated method stub + + } + + @Override + public boolean isUserInRole(String role) { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isRequestedSessionIdValid() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isRequestedSessionIdFromUrl() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isRequestedSessionIdFromURL() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isRequestedSessionIdFromCookie() { + // TODO Auto-generated method stub + return false; + } + + @Override + public Principal getUserPrincipal() { + // TODO Auto-generated method stub + return null; + } + + @Override + public HttpSession getSession(boolean create) { + // TODO Auto-generated method stub + return null; + } + + @Override + public HttpSession getSession() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getServletPath() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getRequestedSessionId() { + // TODO Auto-generated method stub + return null; + } + + @Override + public StringBuffer getRequestURL() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getRequestURI() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getRemoteUser() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getQueryString() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getPathTranslated() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getPathInfo() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Collection<Part> getParts() throws IOException, ServletException { + // TODO Auto-generated method stub + return null; + } + + @Override + public Part getPart(String name) throws IOException, ServletException { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getMethod() { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getIntHeader(String name) { + // TODO Auto-generated method stub + return 0; + } + + @Override + public Enumeration<String> getHeaders(String name) { + // TODO Auto-generated method stub + return null; + } + + @Override + public Enumeration<String> getHeaderNames() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getHeader(String name) { + // TODO Auto-generated method stub + return null; + } + + @Override + public long getDateHeader(String name) { + // TODO Auto-generated method stub + return 0; + } + + @Override + public Cookie[] getCookies() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getContextPath() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getAuthType() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean authenticate(HttpServletResponse response) throws IOException, ServletException { + // TODO Auto-generated method stub + return false; + } + }; + } +} |