This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 3.2.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 07557c03271fd977729a5f8c4a3929db96742431 Author: Daniel Kulp <dk...@apache.org> AuthorDate: Mon Mar 23 15:01:51 2020 -0400 Prevent SOAPAction spoofing for RPC/Lit services (cherry picked from commit b563f7b59db5a749537d1149ff48cdbc021f54f8) (cherry picked from commit 3e285c217b21174c8f9f37a0755d32345e134fb0) --- .../cxf/binding/soap/interceptor/Messages.properties | 1 + .../cxf/binding/soap/interceptor/RPCInInterceptor.java | 5 +++++ .../apache/cxf/systest/jms/action/JMSSoapActionTest.java | 15 ++++++++++----- .../java/org/apache/cxf/systest/soap/SoapActionTest.java | 1 - 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties index bf5622b..aea4a57 100644 --- a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties +++ b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties @@ -34,3 +34,4 @@ NO_NAMESPACE=No namespace on "{0}" element. You must send a SOAP message. BP_2211_RPCLIT_CANNOT_BE_NULL=Cannot write part {0}. RPC/Literal parts cannot be null. (WS-I BP R2211) UNKNOWN_RPC_LIT_PART=Found element {0} but could not find matching RPC/Literal part SOAP_ACTION_MISMATCH=The given SOAPAction {0} does not match an operation. +SOAP_ACTION_MISMATCH_OP=The given SOAPAction {0} does not match the received operation {1}. \ No newline at end of file diff --git a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java index 78a7f29..5f281c9 100644 --- a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java +++ b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java @@ -30,6 +30,7 @@ import javax.xml.stream.XMLStreamConstants; import javax.xml.stream.XMLStreamException; import javax.xml.stream.XMLStreamReader; +import org.apache.cxf.binding.soap.SoapBindingConstants; import org.apache.cxf.binding.soap.wsdl.extensions.SoapBody; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.databinding.DataReader; @@ -112,6 +113,10 @@ public class RPCInInterceptor extends AbstractInDatabindingInterceptor { setMessage(message, operation); } else { operation = message.getExchange().getBindingOperationInfo(); + if (!operation.getName().getLocalPart().equals(opName)) { + String sa = (String)message.get(SoapBindingConstants.SOAP_ACTION); + throw new Fault("SOAP_ACTION_MISMATCH_OP", LOG, null, sa, opName); + } } MessageInfo msg; DataReader<XMLStreamReader> dr = getDataReader(message, XMLStreamReader.class); diff --git a/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java b/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java index 59c39da..c3ba953 100644 --- a/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java +++ b/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java @@ -43,7 +43,7 @@ import org.junit.Test; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertSame; - +import static org.junit.Assert.fail; /** * Some tests for sending a SOAP Action with JMS @@ -108,6 +108,8 @@ public class JMSSoapActionTest extends AbstractBusClientServerTestBase { ((java.io.Closeable)greeter).close(); } + + @Test public void testSayHi2() throws Exception { QName serviceName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldServiceSoapAction"); @@ -126,10 +128,13 @@ public class JMSSoapActionTest extends AbstractBusClientServerTestBase { BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2" ); - String reply = greeter.sayHi(); - assertNotNull("no response received from service", reply); - assertEquals(response, reply); - + try { + greeter.sayHi(); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + ((java.io.Closeable)greeter).close(); } diff --git a/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java b/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java index 768556b..8676083 100644 --- a/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java +++ b/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java @@ -341,7 +341,6 @@ public class SoapActionTest extends Assert { } @Test - @org.junit.Ignore // TODO public void testRPCLitSoapActionSpoofing() throws Exception { JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean(); pf.setServiceClass(RPCGreeter.class);