diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2020-08-31 13:51:14 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2020-08-31 13:51:14 +0200 |
commit | 3ead2fee52a1e43e12610fda8175cb1a74e8b1f0 (patch) | |
tree | 8b3f52b6366b9d326704a125ebc9e4dc9b30b4d3 /id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java | |
parent | 8322112004a0334a5d73795760880e635813793b (diff) | |
download | moa-id-spss-3ead2fee52a1e43e12610fda8175cb1a74e8b1f0.tar.gz moa-id-spss-3ead2fee52a1e43e12610fda8175cb1a74e8b1f0.tar.bz2 moa-id-spss-3ead2fee52a1e43e12610fda8175cb1a74e8b1f0.zip |
update validation in case of file:/ paths because trusted templates can be relative to config directory
Diffstat (limited to 'id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java')
-rw-r--r-- | id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java | 73 |
1 files changed, 61 insertions, 12 deletions
diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java index ad9e2c90e..7afad55aa 100644 --- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java @@ -46,6 +46,7 @@ public class ParamValidatorUtilsTest { config = new DummyAuthConfig(); AuthConfigurationProviderFactory.setAuthConfig(config); config.setSlRequestTemplateUrls(new ArrayList<String>()); + config.setConfigRootDir("file://junit.com/"); } @@ -68,11 +69,11 @@ public class ParamValidatorUtilsTest { public void templateStrictWhitelistSecond() { HttpServletRequest req = getDummyHttpRequest("junit.com"); - String template = "file://aaaa.com/ccc"; + String template = "file:/aaaa.com/ccc"; List<String> oaSlTemplates = Arrays.asList( "http://aaaa.com/bbbb", "https://aaaa.com/bbbb", - "file://aaaa.com/bbbb"); + "file:/aaaa.com/bbbb"); Assert.assertFalse("Template should NOT be valid", ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true)); @@ -95,14 +96,14 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistSecond() { + public void templateLazyWhitelistSecond() { HttpServletRequest req = getDummyHttpRequest("junit.com"); - String template = "file://aaaa.com/ccc"; + String template = "file:/aaaa.com/ccc"; List<String> oaSlTemplates = Arrays.asList( "http://aaaa.com/bbbb", "https://aaaa.com/bbbb", - "file://aaaa.com/bbbb"); + "file:/aaaa.com/bbbb"); Assert.assertFalse("Template should NOT be valid", ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); @@ -110,7 +111,7 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistThird() { + public void templateLazyWhitelistThird() { HttpServletRequest req = getDummyHttpRequest("junit.com"); String template = "https://aaaa.com/ccc"; @@ -125,7 +126,7 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistFour() { + public void templateLazyWhitelistFour() { HttpServletRequest req = getDummyHttpRequest("junit.com"); String template = "http://aaaa.com/ccc"; @@ -140,7 +141,7 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistFife() { + public void templateLazyWhitelistFife() { HttpServletRequest req = getDummyHttpRequest("junit.com"); String template = "http://junit.com/ccc"; @@ -155,7 +156,7 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistSix() { + public void templateLazyWhitelistSix() { HttpServletRequest req = getDummyHttpRequest("junit.com"); String template = "https://junit.com/ccc"; @@ -170,20 +171,68 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistSeven() { + public void templateLazyWhitelistSeven() { HttpServletRequest req = getDummyHttpRequest("junit.com"); - String template = "file://junit.com/ccc"; + String template = "file:/junit.com/ccc"; List<String> oaSlTemplates = Arrays.asList( "http://aaaa.com/bbbb", "https://aaaa.com/bbbb", - "file://aaaa.com/bbbb"); + "file:/aaaa.com/bbbb"); Assert.assertFalse("Template should Not be valid", ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); } + @Test + public void templateLazyWhitelistEight() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file:/junit.com/ccc"; + List<String> oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/ccc", + "ccc"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLazyWhitelistNine() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file:\\junit.com\\ccc"; + List<String> oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/ccc", + "ccc"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLazyWhitelistTen() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file:\\junit.com/ccc"; + List<String> oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/ccc", + "ccc"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + private HttpServletRequest getDummyHttpRequest(final String serverName) { return new HttpServletRequest() { |