From e10256fe93208ef786d2e38a68a98e2548d501ee Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 31 Aug 2020 10:22:11 +0200 Subject: fix SSRF bug in SAML1 parameter validator --- .../moa/id/config/auth/data/DummyAuthConfig.java | 50 +- .../moa/id/util/ParamValidatorUtilsTest.java | 588 +++++++++++++++++++++ 2 files changed, 631 insertions(+), 7 deletions(-) create mode 100644 id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java (limited to 'id/server/idserverlib/src/test') diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java index 1ab54471c..7707f3b90 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java @@ -26,6 +26,9 @@ public class DummyAuthConfig implements AuthConfiguration { private Boolean isIDLEscapingEnabled = null; + private Map basicConfig = new HashMap<>(); + private List slRequestTemplates; + @Override public String getRootConfigFileDir() { // TODO Auto-generated method stub @@ -100,7 +103,10 @@ public class DummyAuthConfig implements AuthConfiguration { } else if (UserRestrictionTask.CONFIG_PROPS_CSV_USER_SECTOR.equals(key)) { return "urn:publicid:gv.at:cdid+ZP-MH"; - } + } else if (basicConfig.containsKey(key)) { + return basicConfig.get(key); + + } return null; @@ -108,8 +114,13 @@ public class DummyAuthConfig implements AuthConfiguration { @Override public String getBasicConfiguration(String key, String defaultValue) { - // TODO Auto-generated method stub - return null; + if (basicConfig.containsKey(key)) { + return basicConfig.get(key); + + } else { + return defaultValue; + + } } @Override @@ -235,8 +246,8 @@ public class DummyAuthConfig implements AuthConfiguration { @Override public List getSLRequestTemplates() throws ConfigurationException { - // TODO Auto-generated method stub - return null; + return slRequestTemplates; + } @Override @@ -428,8 +439,14 @@ public class DummyAuthConfig implements AuthConfiguration { } + if (basicConfig.containsKey(key)) { + return Boolean.parseBoolean(basicConfig.get(key)); + + } else { + return defaultValue; + + } - return false; } @Override @@ -462,8 +479,27 @@ public class DummyAuthConfig implements AuthConfiguration { @Override public Boolean getBasicConfigurationBoolean(String key) { - // TODO Auto-generated method stub + if (basicConfig.containsKey(key)) { + return Boolean.parseBoolean(basicConfig.get(key)); + + } + return null; } + public void putIntoBasicConfig(String key, String value) { + basicConfig.put(key, value); + + } + + public void removeFromBasicConfig(String key) { + basicConfig.remove(key); + + } + + public void setSlRequestTemplateUrls(List templates) { + slRequestTemplates = templates; + + } + } diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java new file mode 100644 index 000000000..ad9e2c90e --- /dev/null +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java @@ -0,0 +1,588 @@ +package test.at.gv.egovernment.moa.id.util; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.security.Principal; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.Enumeration; +import java.util.List; +import java.util.Locale; +import java.util.Map; + +import javax.servlet.AsyncContext; +import javax.servlet.DispatcherType; +import javax.servlet.RequestDispatcher; +import javax.servlet.ServletContext; +import javax.servlet.ServletException; +import javax.servlet.ServletInputStream; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import javax.servlet.http.Part; + +import org.junit.Assert; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.BlockJUnit4ClassRunner; + +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.data.DummyAuthConfig; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; + +@RunWith(BlockJUnit4ClassRunner.class) +public class ParamValidatorUtilsTest { + + private static DummyAuthConfig config; + + @BeforeClass + public static void classInitializer() { + config = new DummyAuthConfig(); + AuthConfigurationProviderFactory.setAuthConfig(config); + config.setSlRequestTemplateUrls(new ArrayList()); + + } + + @Test + public void templateStrictWhitelistFirst() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "https://aaaa.com/bbbb"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true)); + + } + + @Test + public void templateStrictWhitelistSecond() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file://aaaa.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertFalse("Template should NOT be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true)); + + } + + @Test + public void templateLazyWhitelistFirst() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "https://aaaa.com/bbbb"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistSecond() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file://aaaa.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertFalse("Template should NOT be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistThird() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "https://aaaa.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertFalse("Template should NOT be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistFour() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "http://aaaa.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertFalse("Template should NOT be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistFife() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "http://junit.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistSix() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "https://junit.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLaczWhitelistSeven() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file://junit.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/bbbb"); + + Assert.assertFalse("Template should Not be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + private HttpServletRequest getDummyHttpRequest(final String serverName) { + return new HttpServletRequest() { + + @Override + public AsyncContext startAsync(ServletRequest servletRequest, ServletResponse servletResponse) + throws IllegalStateException { + // TODO Auto-generated method stub + return null; + } + + @Override + public AsyncContext startAsync() throws IllegalStateException { + // TODO Auto-generated method stub + return null; + } + + @Override + public void setCharacterEncoding(String env) throws UnsupportedEncodingException { + // TODO Auto-generated method stub + + } + + @Override + public void setAttribute(String name, Object o) { + // TODO Auto-generated method stub + + } + + @Override + public void removeAttribute(String name) { + // TODO Auto-generated method stub + + } + + @Override + public boolean isSecure() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isAsyncSupported() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isAsyncStarted() { + // TODO Auto-generated method stub + return false; + } + + @Override + public ServletContext getServletContext() { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getServerPort() { + // TODO Auto-generated method stub + return 0; + } + + @Override + public String getServerName() { + return serverName; + + } + + @Override + public String getScheme() { + // TODO Auto-generated method stub + return null; + } + + @Override + public RequestDispatcher getRequestDispatcher(String path) { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getRemotePort() { + // TODO Auto-generated method stub + return 0; + } + + @Override + public String getRemoteHost() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getRemoteAddr() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getRealPath(String path) { + // TODO Auto-generated method stub + return null; + } + + @Override + public BufferedReader getReader() throws IOException { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getProtocol() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String[] getParameterValues(String name) { + // TODO Auto-generated method stub + return null; + } + + @Override + public Enumeration getParameterNames() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Map getParameterMap() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getParameter(String name) { + // TODO Auto-generated method stub + return null; + } + + @Override + public Enumeration getLocales() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Locale getLocale() { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getLocalPort() { + // TODO Auto-generated method stub + return 0; + } + + @Override + public String getLocalName() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getLocalAddr() { + // TODO Auto-generated method stub + return null; + } + + @Override + public ServletInputStream getInputStream() throws IOException { + // TODO Auto-generated method stub + return null; + } + + @Override + public DispatcherType getDispatcherType() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getContentType() { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getContentLength() { + // TODO Auto-generated method stub + return 0; + } + + @Override + public String getCharacterEncoding() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Enumeration getAttributeNames() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Object getAttribute(String name) { + // TODO Auto-generated method stub + return null; + } + + @Override + public AsyncContext getAsyncContext() { + // TODO Auto-generated method stub + return null; + } + + @Override + public void logout() throws ServletException { + // TODO Auto-generated method stub + + } + + @Override + public void login(String username, String password) throws ServletException { + // TODO Auto-generated method stub + + } + + @Override + public boolean isUserInRole(String role) { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isRequestedSessionIdValid() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isRequestedSessionIdFromUrl() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isRequestedSessionIdFromURL() { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean isRequestedSessionIdFromCookie() { + // TODO Auto-generated method stub + return false; + } + + @Override + public Principal getUserPrincipal() { + // TODO Auto-generated method stub + return null; + } + + @Override + public HttpSession getSession(boolean create) { + // TODO Auto-generated method stub + return null; + } + + @Override + public HttpSession getSession() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getServletPath() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getRequestedSessionId() { + // TODO Auto-generated method stub + return null; + } + + @Override + public StringBuffer getRequestURL() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getRequestURI() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getRemoteUser() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getQueryString() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getPathTranslated() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getPathInfo() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Collection getParts() throws IOException, ServletException { + // TODO Auto-generated method stub + return null; + } + + @Override + public Part getPart(String name) throws IOException, ServletException { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getMethod() { + // TODO Auto-generated method stub + return null; + } + + @Override + public int getIntHeader(String name) { + // TODO Auto-generated method stub + return 0; + } + + @Override + public Enumeration getHeaders(String name) { + // TODO Auto-generated method stub + return null; + } + + @Override + public Enumeration getHeaderNames() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getHeader(String name) { + // TODO Auto-generated method stub + return null; + } + + @Override + public long getDateHeader(String name) { + // TODO Auto-generated method stub + return 0; + } + + @Override + public Cookie[] getCookies() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getContextPath() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getAuthType() { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean authenticate(HttpServletResponse response) throws IOException, ServletException { + // TODO Auto-generated method stub + return false; + } + }; + } +} -- cgit v1.2.3