Add support for allowedHostnames in StrictHttpFirewall

eddumelendez · jzheaux · commit f712c5598c21 · 2019-08-03T21:16:45.000-04:00
Introduce a new method `setAllowedHostnames` which perform the validation against untrusted hostnames. Fixes gh-4310
diff --git a/web/src/main/java/org/springframework/security/web/FilterInvocation.java b/web/src/main/java/org/springframework/security/web/FilterInvocation.java
@@ -228,10 +228,15 @@ public String getQueryString() {
 	public void setQueryString(String queryString) {
 		this.queryString = queryString;
 	}
+
+	@Override
+	public String getServerName() {
+		return null;
+	}
 }
 
 final class UnsupportedOperationExceptionInvocationHandler implements InvocationHandler {
 	public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
 		throw new UnsupportedOperationException(method + " is not supported");
 	}
-}
+}
diff --git a/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java b/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2017 the original author or authors.
+ * Copyright 2012-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.function.Predicate;
 
 /**
  * <p>
@@ -66,10 +67,15 @@
  * Rejects URLs that contain a URL encoded percent. See
  * {@link #setAllowUrlEncodedPercent(boolean)}
  * </li>
+ * <li>
+ * Rejects hosts that are not allowed. See
+ * {@link #setAllowedHostnames(Predicate)}
+ * </li>
  * </ul>
  *
  * @see DefaultHttpFirewall
  * @author Rob Winch
+ * @author Eddú Meléndez
  * @since 4.2.4
  */
 public class StrictHttpFirewall implements HttpFirewall {
@@ -98,6 +104,8 @@ public class StrictHttpFirewall implements HttpFirewall {
 
 	private Set<String> allowedHttpMethods = createDefaultAllowedHttpMethods();
 
+	private Predicate<String> allowedHostnames = hostname -> true;
+
 	public StrictHttpFirewall() {
 		urlBlacklistsAddAll(FORBIDDEN_SEMICOLON);
 		urlBlacklistsAddAll(FORBIDDEN_FORWARDSLASH);
@@ -297,6 +305,13 @@ public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent) {
 		}
 	}
 
+	public void setAllowedHostnames(Predicate<String> allowedHostnames) {
+		if (allowedHostnames == null) {
+			throw new IllegalArgumentException("allowedHostnames cannot be null");
+		}
+		this.allowedHostnames = allowedHostnames;
+	}
+
 	private void urlBlacklistsAddAll(Collection<String> values) {
 		this.encodedUrlBlacklist.addAll(values);
 		this.decodedUrlBlacklist.addAll(values);
@@ -311,6 +326,7 @@ private void urlBlacklistsRemoveAll(Collection<String> values) {
 	public FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException {
 		rejectForbiddenHttpMethod(request);
 		rejectedBlacklistedUrls(request);
+		rejectedUntrustedHosts(request);
 
 		if (!isNormalized(request)) {
 			throw new RequestRejectedException("The request was rejected because the URL was not normalized.");
@@ -352,6 +368,13 @@ private void rejectedBlacklistedUrls(HttpServletRequest request) {
 		}
 	}
 
+	private void rejectedUntrustedHosts(HttpServletRequest request) {
+		String serverName = request.getServerName();
+		if (serverName != null && !this.allowedHostnames.test(serverName)) {
+			throw new RequestRejectedException("The request was rejected because the domain " + serverName + " is untrusted.");
+		}
+	}
+
 	@Override
 	public HttpServletResponse getFirewalledResponse(HttpServletResponse response) {
 		return new FirewalledResponse(response);
diff --git a/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java b/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2017 the original author or authors.
+ * Copyright 2012-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
 
 /**
  * @author Rob Winch
+ * @author Eddú Meléndez
  */
 public class StrictHttpFirewallTests {
 	public String[] unnormalizedPaths = { "/..", "/./path/", "/path/path/.", "/path/path//.", "./path/../path//.",
@@ -524,4 +525,20 @@ public void getFirewalledRequestWhenRemoveFromDecodedUrlBlacklistThenNoException
 		this.firewall.getDecodedUrlBlacklist().removeAll(Arrays.asList("//"));
 		assertThatCode(() -> this.firewall.getFirewalledRequest(request)).doesNotThrowAnyException();
 	}
+
+	@Test
+	public void getFirewalledRequestWhenTrustedDomainThenNoException() {
+		this.request.addHeader("Host", "example.org");
+		this.firewall.setAllowedHostnames(hostname -> hostname.equals("example.org"));
+
+		assertThatCode(() -> this.firewall.getFirewalledRequest(this.request)).doesNotThrowAnyException();
+	}
+
+	@Test(expected = RequestRejectedException.class)
+	public void getFirewalledRequestWhenUntrustedDomainThenException() {
+		this.request.addHeader("Host", "example.org");
+		this.firewall.setAllowedHostnames(hostname -> hostname.equals("myexample.org"));
+
+		this.firewall.getFirewalledRequest(this.request);
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -228,10 +228,15 @@ public String getQueryString() {`
`228`	`228`	`public void setQueryString(String queryString) {`
`229`	`229`	`this.queryString = queryString;`
`230`	`230`	`}`
	`231`	`+`
	`232`	`+ @Override`
	`233`	`+ public String getServerName() {`
	`234`	`+ return null;`
	`235`	`+ }`
`231`	`236`	`}`
`232`	`237`
`233`	`238`	`final class UnsupportedOperationExceptionInvocationHandler implements InvocationHandler {`
`234`	`239`	`public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {`
`235`	`240`	`throw new UnsupportedOperationException(method + " is not supported");`
`236`	`241`	`}`
`237`		`-}`
	`242`	`+}`