Repository: wicket Updated Branches: refs/heads/master a4baf17a3 -> 381fc81c2
WICKET-6274 Add origin header to ajax requests in BaseWicketTester Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/381fc81c Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/381fc81c Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/381fc81c Branch: refs/heads/master Commit: 381fc81c22399de7fcd374eb7f047fda91e576fb Parents: a4baf17 Author: Artur MichaÅowski <[email protected]> Authored: Sun Nov 6 15:33:04 2016 +0100 Committer: Martin Tzvetanov Grigorov <[email protected]> Committed: Mon Nov 14 21:22:07 2016 +0100 ---------------------------------------------------------------------- .../CsrfPreventionRequestCycleListener.java | 5 ++- .../wicket/util/tester/BaseWicketTester.java | 11 +++++ .../CsrfPreventionRequestCycleListenerTest.java | 45 ++++++++++---------- .../apache/wicket/request/http/WebRequest.java | 4 ++ 4 files changed, 41 insertions(+), 24 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket/blob/381fc81c/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java ---------------------------------------------------------------------- diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java index dc82f38..fac6403 100644 --- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java +++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java @@ -33,6 +33,7 @@ import org.apache.wicket.request.component.IRequestablePage; import org.apache.wicket.request.cycle.AbstractRequestCycleListener; import org.apache.wicket.request.cycle.IRequestCycleListener; import org.apache.wicket.request.cycle.RequestCycle; +import org.apache.wicket.request.http.WebRequest; import org.apache.wicket.request.http.flow.AbortWithHttpErrorCodeException; import org.apache.wicket.util.lang.Checks; import org.apache.wicket.util.string.Strings; @@ -383,10 +384,10 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList */ protected String getSourceUri(HttpServletRequest containerRequest) { - String sourceUri = containerRequest.getHeader("Origin"); + String sourceUri = containerRequest.getHeader(WebRequest.HEADER_ORIGIN); if (Strings.isEmpty(sourceUri)) { - sourceUri = containerRequest.getHeader("Referer"); + sourceUri = containerRequest.getHeader(WebRequest.HEADER_REFERER); } return normalizeUri(sourceUri); } http://git-wip-us.apache.org/repos/asf/wicket/blob/381fc81c/wicket-core/src/main/java/org/apache/wicket/util/tester/BaseWicketTester.java ---------------------------------------------------------------------- diff --git a/wicket-core/src/main/java/org/apache/wicket/util/tester/BaseWicketTester.java b/wicket-core/src/main/java/org/apache/wicket/util/tester/BaseWicketTester.java index ad629e3..b5a15ec 100644 --- a/wicket-core/src/main/java/org/apache/wicket/util/tester/BaseWicketTester.java +++ b/wicket-core/src/main/java/org/apache/wicket/util/tester/BaseWicketTester.java @@ -1139,6 +1139,7 @@ public class BaseWicketTester Charset.forName(request.getCharacterEncoding())); transform(url); request.setUrl(url); + request.addHeader(WebRequest.HEADER_ORIGIN, createOriginHeader()); request.addHeader(WebRequest.HEADER_AJAX_BASE_URL, url.toString()); request.addHeader(WebRequest.HEADER_AJAX, "true"); @@ -1160,6 +1161,16 @@ public class BaseWicketTester processRequest(); } + + /** + * Build value to Origin header based on RequestCycle Url + * + * @return Origin header + */ + protected String createOriginHeader(){ + Url url = RequestCycle.get().getRequest().getUrl(); + return url.getProtocol() + "://" +url.getHost() + ":" + url.getPort(); + } /** * http://git-wip-us.apache.org/repos/asf/wicket/blob/381fc81c/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java ---------------------------------------------------------------------- diff --git a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java index 50dc656..9882bd6 100644 --- a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java +++ b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java @@ -24,6 +24,7 @@ import org.apache.wicket.RestartResponseException; import org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener.CsrfAction; import org.apache.wicket.request.IRequestHandler; import org.apache.wicket.request.component.IRequestablePage; +import org.apache.wicket.request.http.WebRequest; import org.apache.wicket.util.tester.WicketTestCase; import org.junit.Before; import org.junit.Test; @@ -50,7 +51,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase // Rendering a page is allowed, regardless of Origin (this allows external links into your // website to function) - tester.addRequestHeader("Origin", "https://google.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "https://google.com/";); tester.startPage(FirstPage.class); tester.assertRenderedPage(FirstPage.class); @@ -72,7 +73,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase public void disabledListenerDoesntCheckMismatchedOrigin() { csrfEnabled = false; - tester.addRequestHeader("Origin", "http://malicioussite.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://malicioussite.com/";); tester.clickLink("link"); assertOriginsNotChecked(); tester.assertRenderedPage(SecondPage.class); @@ -114,7 +115,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase public void matchingOriginsAllowed() { csrfListener.setConflictingOriginAction(CsrfAction.ALLOW); - tester.addRequestHeader("Origin", "http://localhost/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://localhost/";); tester.clickLink("link"); @@ -127,7 +128,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase public void conflictingOriginsAllowed() { csrfListener.setConflictingOriginAction(CsrfAction.ALLOW); - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); tester.clickLink("link"); @@ -139,7 +140,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase @Test public void conflictingOriginsSuppressed() { - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); csrfListener.setConflictingOriginAction(CsrfAction.SUPPRESS); tester.clickLink("link"); @@ -152,7 +153,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase @Test public void conflictingOriginsAborted() { - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); tester.clickLink("link"); @@ -166,7 +167,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase setErrorCode(401); setErrorMessage("NOT AUTHORIZED"); - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); csrfListener.setNoOriginAction(CsrfAction.ABORT); tester.clickLink("link"); @@ -180,7 +181,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase { csrfListener.setConflictingOriginAction(CsrfAction.ALLOW); csrfListener.addAcceptedOrigin("example.com"); - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); tester.clickLink("link"); @@ -195,7 +196,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase csrfListener.addAcceptedOrigin("example.com"); csrfListener.setConflictingOriginAction(CsrfAction.ALLOW); - tester.addRequestHeader("Origin", "http://foo.example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://foo.example.com/";); tester.clickLink("link"); @@ -210,7 +211,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase @Test public void conflictingOriginPageNotCheckedAllowed() { - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); csrfListener.setConflictingOriginAction(CsrfAction.ABORT); // disable the check for this page @@ -240,7 +241,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase setSuppressHandler(thirdPageRedirect); csrfListener.setConflictingOriginAction(CsrfAction.SUPPRESS); - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); tester.clickLink("link"); @@ -266,7 +267,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase setAllowHandler(thirdPageRedirect); csrfListener.setConflictingOriginAction(CsrfAction.ALLOW); - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); tester.clickLink("link"); @@ -291,7 +292,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase }; setAbortHandler(thirdPageRedirect); - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); csrfListener.setConflictingOriginAction(CsrfAction.ABORT); tester.clickLink("link"); @@ -309,7 +310,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase @Test public void differentPortOriginAborted() { - tester.addRequestHeader("Origin", "http://localhost:8080";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://localhost:8080";); csrfListener.setConflictingOriginAction(CsrfAction.ABORT); tester.clickLink("link"); @@ -321,7 +322,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase @Test public void differentSchemeOriginAborted() { - tester.addRequestHeader("Origin", "https://localhost";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "https://localhost";); csrfListener.setConflictingOriginAction(CsrfAction.ABORT); tester.clickLink("link"); @@ -333,7 +334,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase @Test public void longerOriginAllowed() { - tester.addRequestHeader("Origin", "http://localhost/supercalifragilisticexpialidocious";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://localhost/supercalifragilisticexpialidocious";); csrfListener.setConflictingOriginAction(CsrfAction.ABORT); tester.clickLink("link"); @@ -349,14 +350,14 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase csrfListener.setConflictingOriginAction(CsrfAction.ABORT); // first render a page in the user's session - tester.addRequestHeader("Origin", "http://localhost";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://localhost";); tester.startPage(ThirdPage.class); assertOriginsNotChecked(); tester.assertRenderedPage(ThirdPage.class); // then click on a link from another external page - tester.addRequestHeader("Origin", "http://attacker.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://attacker.com/";); tester.clickLink("link", true); assertConflictingOriginsRequestAborted(); @@ -369,14 +370,14 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase csrfListener.setConflictingOriginAction(CsrfAction.SUPPRESS); // first render a page in the user's session - tester.addRequestHeader("Origin", "http://localhost";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://localhost";); tester.startPage(ThirdPage.class); assertOriginsNotChecked(); tester.assertRenderedPage(ThirdPage.class); // then click on a link from another external page - tester.addRequestHeader("Origin", "http://attacker.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://attacker.com/";); tester.clickLink("link", true); assertConflictingOriginsRequestSuppressed(); @@ -390,14 +391,14 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase csrfListener.setConflictingOriginAction(CsrfAction.SUPPRESS); // first render a page in the user's session - tester.addRequestHeader("Origin", "http://localhost";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://localhost";); tester.startPage(ThirdPage.class); assertOriginsNotChecked(); tester.assertRenderedPage(ThirdPage.class); // then click on a link from another external page - tester.addRequestHeader("Origin", "http://attacker.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://attacker.com/";); tester.submitForm("form"); assertConflictingOriginsRequestSuppressed(); http://git-wip-us.apache.org/repos/asf/wicket/blob/381fc81c/wicket-request/src/main/java/org/apache/wicket/request/http/WebRequest.java ---------------------------------------------------------------------- diff --git a/wicket-request/src/main/java/org/apache/wicket/request/http/WebRequest.java b/wicket-request/src/main/java/org/apache/wicket/request/http/WebRequest.java index fbadee2..1ac1596 100644 --- a/wicket-request/src/main/java/org/apache/wicket/request/http/WebRequest.java +++ b/wicket-request/src/main/java/org/apache/wicket/request/http/WebRequest.java @@ -47,6 +47,10 @@ public abstract class WebRequest extends Request public static final String HEADER_AJAX_BASE_URL = "Wicket-Ajax-BaseURL"; /** anti-cache query parameter added by Wicket.Ajax.Request at its URL */ public static final String PARAM_AJAX_REQUEST_ANTI_CACHE = "_"; + /** {@code Origin} http header */ + public static final String HEADER_ORIGIN = "Origin"; + /** {@code Referer} http header */ + public static final String HEADER_REFERER = "Referer"; /** * @return request cookies
