This is an automated email from the ASF dual-hosted git repository. dklco pushed a commit to branch SLING-11871 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit b3a4fb8450da1ab298977547e96037eda5bdacfc Merge: 7e0c9d7 8641525 Author: Dan Klco <[email protected]> AuthorDate: Thu May 11 21:41:14 2023 -0400 Merging latest from master .asf.yaml | 11 + .vscode/settings.json | 3 + bnd.bnd | 1 + pom.xml | 9 +- .../security/impl/ContentDispositionFilter.java | 76 ++++--- .../apache/sling/security/impl/ReferrerFilter.java | 241 +++++++++++---------- .../impl/ContentDispositionFilterTest.java | 30 +-- .../sling/security/impl/ReferrerFilterTest.java | 127 +++++++---- 8 files changed, 283 insertions(+), 215 deletions(-) diff --cc src/main/java/org/apache/sling/security/impl/ReferrerFilter.java index 24223f2,5125e57..9aa56f2 --- a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java +++ b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java @@@ -159,26 -159,22 +165,27 @@@ public class ReferrerFilter implements /** * Do we allow empty referrer? */ - private boolean allowEmpty; + private final boolean allowEmpty; + /** + * Do we allow if Origin is set + */ + private boolean bypassWithOrigin; + /** Allowed uri referrers */ - private URL[] allowedUriReferrers; + private final URL[] allowedUriReferrers; /** Allowed regexp referrers */ - private Pattern[] allowedRegexReferrers; + private final Pattern[] allowedRegexReferrers; /** Methods to be filtered. */ - private String[] filterMethods; + private final String[] filterMethods; - /** Paths to be excluded */ - private Pattern[] excludedRegexUserAgents; + /** User agents to be excluded */ + private final Pattern[] excludedRegexUserAgents; - private ServiceRegistration<Object> configPrinterRegistration; + /** Paths to be excluded */ + private final String[] excludedPaths; /** * Create a default list of referrers @@@ -265,14 -261,14 +272,15 @@@ } @Activate - protected void activate(final BundleContext context, Config config) { + public ReferrerFilter(final Config config) { this.allowEmpty = config.allow_empty(); + this.bypassWithOrigin = config.bypass_with_origin(); this.allowedRegexReferrers = createRegexPatterns(config.allow_hosts_regexp()); this.excludedRegexUserAgents = createRegexPatterns(config.exclude_agents_regexp()); + this.excludedPaths = config.exclude_paths(); final Set<String> allowUriReferrers = getDefaultAllowedReferrers(); - if ( config.allow_hosts() != null ) { + if (config.allow_hosts() != null) { allowUriReferrers.addAll(Arrays.asList(config.allow_hosts())); } this.allowedUriReferrers = createReferrerUrls(allowUriReferrers); @@@ -383,14 -363,15 +375,19 @@@ } boolean isValidRequest(final HttpServletRequest request) { + final String origin = request.getHeader("origin"); + if (origin != null && origin.trim().length() != 0 && this.bypassWithOrigin) { + return true; + } + // ignore referrer check if the request matches any of the configured excluded path. + if (isExcludedPath(request)) { + return true; + } + final String referrer = request.getHeader("referer"); // check for missing/empty referrer - if ( referrer == null || referrer.trim().length() == 0 ) { - if ( !this.allowEmpty ) { + if (referrer == null || referrer.trim().length() == 0) { + if (!this.allowEmpty) { this.logger.info("Rejected empty referrer header for {} request to {}", request.getMethod(), request.getRequestURI()); } return this.allowEmpty; diff --cc src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java index 282a119,53b1f29..038248a --- a/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java +++ b/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java @@@ -51,17 -52,12 +52,17 @@@ public class ReferrerFilterTest @Override public boolean allow_empty() { - return false; + return allowEmpty; } + @Override + public boolean bypass_with_origin() { + return true; + } + @Override public String[] allow_hosts() { - return new String[]{"relhost"}; + return allowHosts; } @Override @@@ -124,32 -127,56 +132,63 @@@ @Test public void testValidRequest() { - Assert.assertEquals(false, filter.isValidRequest(getRequest(null))); - Assert.assertEquals(true, filter.isValidRequest(getRequest("relative"))); - Assert.assertEquals(true, filter.isValidRequest(getRequest("/relative/too"))); - Assert.assertEquals(true, filter.isValidRequest(getRequest("/relative/but/[illegal]"))); - Assert.assertEquals(false, filter.isValidRequest(getRequest("http://somehost";))); - Assert.assertEquals(true, filter.isValidRequest(getRequest("http://localhost";))); - Assert.assertEquals(true, filter.isValidRequest(getRequest("http://127.0.0.1";))); - Assert.assertEquals(false, filter.isValidRequest(getRequest("http://somehost/but/[illegal]";))); - Assert.assertEquals(true, filter.isValidRequest(getRequest("http://relhost";))); - Assert.assertEquals(true, filter.isValidRequest(getRequest("http://relhost:9001";))); - Assert.assertEquals(false, filter.isValidRequest(getRequest("http://abshost:9001";))); - Assert.assertEquals(false, filter.isValidRequest(getRequest("https://abshost:80";))); - Assert.assertEquals(true, filter.isValidRequest(getRequest("http://abshost:80";))); - Assert.assertEquals(false, filter.isValidRequest(getRequest("http://abshost:9001";))); - Assert.assertEquals(true, filter.isValidRequest(getRequest("http://another.abshost:80";))); - Assert.assertEquals(false, filter.isValidRequest(getRequest("http://yet.another.abshost:80";))); - Assert.assertEquals(true, filter.isValidRequest(getRequest("app://yet.another.abshost:80"))); + assertFalse(filter.isValidRequest(getRequest(null))); + assertTrue(filter.isValidRequest(getRequest("relative"))); + assertTrue(filter.isValidRequest(getRequest("/relative/too"))); + assertTrue(filter.isValidRequest(getRequest("/relative/but/[illegal]"))); + assertFalse(filter.isValidRequest(getRequest("http://somehost";))); + assertTrue(filter.isValidRequest(getRequest("http://localhost";))); + assertTrue(filter.isValidRequest(getRequest("http://127.0.0.1";))); + assertFalse(filter.isValidRequest(getRequest("http://somehost/but/[illegal]";))); + assertTrue(filter.isValidRequest(getRequest("http://relhost";))); + assertTrue(filter.isValidRequest(getRequest("http://relhost:9001";))); + assertFalse(filter.isValidRequest(getRequest("http://abshost:9001";))); + assertFalse(filter.isValidRequest(getRequest("https://abshost:80";))); + assertTrue(filter.isValidRequest(getRequest("http://abshost:80";))); + assertFalse(filter.isValidRequest(getRequest("http://abshost:9001";))); + assertTrue(filter.isValidRequest(getRequest("http://another.abshost:80";))); + assertFalse(filter.isValidRequest(getRequest("http://yet.another.abshost:80";))); + assertTrue(filter.isValidRequest(getRequest("app://yet.another.abshost:80"))); + assertFalse(filter.isValidRequest(getRequest("?://"))); + } + + @Test + public void testExcludedPath() { + assertTrue(filter.isValidRequest(getRequest(null, null, "/test_path"))); + assertFalse(filter.isValidRequest(getRequest(null, null, "/test_path/subtree"))); + assertFalse(filter.isValidRequest(getRequest(null, null, "/test_path_sibling"))); + + assertTrue(filter.isValidRequest(getRequest("relative", null, "/test_path"))); + assertTrue(filter.isValidRequest(getRequest("http://yet.another.abshost:80";, null, "/test_path"))); + } + + @Test + public void testExcludedPathNull() { + ReferrerFilter rf = new ReferrerFilter(createConfiguration(false, null, null, null, null)); + + assertFalse(rf.isValidRequest(getRequest(null, null, "/test_path"))); + assertFalse(rf.isValidRequest(getRequest(null, null, "/test_path/subtree"))); + assertFalse(rf.isValidRequest(getRequest(null, null, "/test_path_sibling"))); + + assertTrue(rf.isValidRequest(getRequest("relative", null, "/test_path"))); + assertFalse(rf.isValidRequest(getRequest("http://yet.another.abshost:80";, null, "/test_path"))); + } + + @Test + public void testAllowEmpty() { + ReferrerFilter rf = new ReferrerFilter(createConfiguration(true, null, null, null, null)); + + assertTrue(rf.isValidRequest(getRequest(null, null, "/test_path"))); + assertTrue(rf.isValidRequest(getRequest("", null, null))); } + @Test + public void testAllowsWithOrigin(){ + HttpServletRequest request = getRequest(null); + when(request.getHeader("origin")).thenReturn("http://sling.apache.org";); + Assert.assertEquals(true, filter.isValidRequest(request)); + } + @Test public void testIsBrowserRequest() { String userAgent = "Mozilla/5.0;Some-Agent (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko)";
