Dirk Forchel created WICKET-7015:
------------------------------------
Summary: RelativeURICSPValue Directive with wrong URI value
Key: WICKET-7015
URL: https://issues.apache.org/jira/browse/WICKET-7015
Project: Wicket
Issue Type: Bug
Components: wicket-core
Affects Versions: 9.12.0
Reporter: Dirk Forchel
It is possible to configure the CSP reporting with a wrong URI.
Using CSPHeaderConfiguration#reportBack(String mountPath) configures the CSP to
report violations at the specified URI. But if you provide an absolute URL by
mistake, no exception is thrown altough it should.
The problem is, that CSPRenderable#checkValidityForSrc() is never called for
the RelativeURICSPValue.
To solve this you should add the following piece of code within the overwritten
method checkValueForDirective:
{code:java}
if (value instanceof RelativeURICSPValue)
{
value.checkValidityForSrc();
return;
}{code}
In addition, the RelativeURICSPValue#checkValidityForSrc method should be
rewritten in order to test whether the provided {color:#871094}relativeUri
{color}is really relative.{color:#00627a}
{color}
{code:java}
public void checkValidityForSrc()
{
if (!UrlUtils.isRelative(relativeUri))
throw new IllegalArgumentException("You must provide a relative URI and
not " + relativeUri);
try {
final URI uri = new URI("https://example.com/"; + relativeUri);
} catch (URISyntaxException urise) {
throw new IllegalArgumentException("Illegal relative URI", urise);
}
}{code}
You can easily test this failure if you would add the following unit test to
the CSPSettingRequestCycleListenerTest:
{code:java}
@Test
public void testInvalidRelativeReportUriIsRejected()
{
ContentSecurityPolicySettings settings =
tester.getApplication().getCspSettings();
Assertions.assertThrows(IllegalArgumentException.class, () -> {
settings.blocking().reportBackAt("http://report.example.com";);
});
}{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
