From 3ead2fee52a1e43e12610fda8175cb1a74e8b1f0 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 31 Aug 2020 13:51:14 +0200 Subject: update validation in case of file:/ paths because trusted templates can be relative to config directory --- .../moa/id/util/ParamValidatorUtils.java | 28 ++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index 065615666..0e468bb6b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -49,6 +49,7 @@ package at.gv.egovernment.moa.id.util; import java.io.ByteArrayInputStream; import java.io.IOException; import java.net.MalformedURLException; +import java.net.URISyntaxException; import java.net.URL; import java.util.Collections; import java.util.HashMap; @@ -63,6 +64,7 @@ import javax.xml.parsers.ParserConfigurationException; import org.xml.sax.SAXException; import at.gv.egiz.eaaf.core.impl.utils.DOMUtils; +import at.gv.egiz.eaaf.core.impl.utils.FileUtils; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; @@ -309,7 +311,7 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ } } - } catch (MalformedURLException | ConfigurationException e) { + } catch (MalformedURLException | ConfigurationException | URISyntaxException e) { Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL.", e); return false; @@ -529,24 +531,42 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ } private static boolean validateTemplateUrlToWhiteList(String template, List oaSlTemplates) - throws ConfigurationException { + throws ConfigurationException, MalformedURLException, URISyntaxException { //check against configured trustet template urls AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance(); List trustedTemplateURLs = authConf.getSLRequestTemplates(); //get OA specific template URLs - if (oaSlTemplates != null && oaSlTemplates.size() > 0) { + if (oaSlTemplates != null && !oaSlTemplates.isEmpty()) { for (String el : oaSlTemplates) if (MiscUtil.isNotEmpty(el)) trustedTemplateURLs.add(el); } - boolean b = trustedTemplateURLs.contains(template); + boolean b = false; + if (template.startsWith("file:")) { + for (String el : trustedTemplateURLs) { + URL templateUrl = new URL(template); + URL trustedUrl = new URL(FileUtils.makeAbsoluteURL(el, authConf.getConfigurationRootDirectory())); + b = trustedUrl.equals(templateUrl); + if (b) { + break; + } + } + + } else { + b = trustedTemplateURLs.contains(template); + + } + + if (b) { Logger.debug("Parameter Template erfolgreich ueberprueft"); return true; } else { + Logger.info("Template:" + template + " DOES NOT match to allowed templates: [" + + org.apache.commons.lang3.StringUtils.join(trustedTemplateURLs, ",") + "]"); Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. " + "Parameter ist nicht auf Liste der vertrauenswuerdigen Template URLs " + "(Konfigurationselement: MOA-IDConfiguration/TrustedTemplateURLs)"); -- cgit v1.2.3