Skip to content

Commit 63dc783

Browse files
JacquesLeRouxJacquesLeRoux
committed
Improved: Check parameters passed in URLs (OFBIZ-13295)
Tests in ControlFilter.java did not work with previous commit. This one fixes the issue Conflicts handled by hand in ControlFilter.java
1 parent 505c88c commit 63dc783

File tree

2 files changed

+30
-7
lines changed

2 files changed

+30
-7
lines changed

‎framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java‎

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -160,6 +160,11 @@ private static List<String> getAllowedTokens() {
160160
return UtilValidate.isNotEmpty(allowedTokens) ? StringUtil.split(allowedTokens, ",") : new ArrayList<>();
161161
}
162162

163+
private static boolean isControlFilterTests() {
164+
return null != System.getProperty("ControlFilterTests");
165+
}
166+
167+
163168
/**
164169
* Makes allowed paths pass through while redirecting the others to a fix location.
165170
* Reject wrong URLs
@@ -171,7 +176,9 @@ public void doFilter(HttpServletRequest req, HttpServletResponse resp, FilterCha
171176

172177
// Prevents stream exploitation
173178
if (!isSolrTest()) {
174-
UrlServletHelper.setRequestAttributes(req, null, req.getServletContext());
179+
if (!isControlFilterTests()) {
180+
UrlServletHelper.setRequestAttributes(req, null, req.getServletContext());
181+
}
175182
Map<String, Object> parameters = UtilHttp.getParameterMap(req);
176183
boolean reject = false;
177184
if (!parameters.isEmpty()) {

‎framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/ControlFilterTests.java‎

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,21 +18,21 @@
1818
*/
1919
package org.apache.ofbiz.webapp.control;
2020

21+
import static org.mockito.ArgumentMatchers.anyString;
2122
import static org.mockito.Mockito.mock;
22-
import static org.mockito.Mockito.when;
23-
import static org.mockito.Mockito.verify;
24-
import static org.mockito.Mockito.anyString;
2523
import static org.mockito.Mockito.times;
24+
import static org.mockito.Mockito.verify;
25+
import static org.mockito.Mockito.when;
26+
27+
import org.junit.Before;
28+
import org.junit.Test;
2629

2730
import javax.servlet.FilterChain;
2831
import javax.servlet.FilterConfig;
2932
import javax.servlet.http.HttpServletRequest;
3033
import javax.servlet.http.HttpServletResponse;
3134
import javax.servlet.http.HttpSession;
3235

33-
import org.junit.Before;
34-
import org.junit.Test;
35-
3636
public class ControlFilterTests {
3737

3838
private FilterConfig config;
@@ -58,6 +58,7 @@ public void setUp() {
5858

5959
@Test
6060
public void filterWithExactAllowedPath() throws Exception {
61+
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
6162
when(config.getInitParameter("redirectPath")).thenReturn("/foo");
6263
when(config.getInitParameter("allowedPaths")).thenReturn("/foo:/bar");
6364
when(req.getRequestURI()).thenReturn("/servlet/bar");
@@ -66,10 +67,12 @@ public void filterWithExactAllowedPath() throws Exception {
6667
filter.init(config);
6768
filter.doFilter(req, resp, next);
6869
verify(next).doFilter(req, resp);
70+
System.clearProperty("ControlFilterTests");
6971
}
7072

7173
@Test
7274
public void filterWithAllowedSubPath() throws Exception {
75+
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
7376
when(config.getInitParameter("redirectPath")).thenReturn("/foo");
7477
when(config.getInitParameter("allowedPaths")).thenReturn("/foo:/bar");
7578
when(req.getRequestURI()).thenReturn("/servlet/bar/baz");
@@ -78,32 +81,38 @@ public void filterWithAllowedSubPath() throws Exception {
7881
filter.init(config);
7982
filter.doFilter(req, resp, next);
8083
verify(next).doFilter(req, resp);
84+
System.clearProperty("ControlFilterTests");
8185
}
8286

8387
@Test
8488
public void filterWithRedirection() throws Exception {
89+
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
8590
when(config.getInitParameter("redirectPath")).thenReturn("/foo");
8691
when(config.getInitParameter("allowedPaths")).thenReturn("/bar:/baz");
8792
when(req.getRequestURI()).thenReturn("/missing/path");
8893

8994
filter.init(config);
9095
filter.doFilter(req, resp, next);
9196
verify(resp).sendRedirect("/foo");
97+
System.clearProperty("ControlFilterTests");
9298
}
9399

94100
@Test
95101
public void filterWithURIredirection() throws Exception {
102+
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
96103
when(config.getInitParameter("redirectPath")).thenReturn("http://example.org/foo");
97104
when(config.getInitParameter("allowedPaths")).thenReturn("/foo:/bar");
98105
when(req.getRequestURI()).thenReturn("/baz");
99106

100107
filter.init(config);
101108
filter.doFilter(req, resp, next);
102109
verify(resp).sendRedirect("http://example.org/foo");
110+
System.clearProperty("ControlFilterTests");
103111
}
104112

105113
@Test
106114
public void bailsOutWithVariousErrorCodes() throws Exception {
115+
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
107116
when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
108117
when(req.getRequestURI()).thenReturn("/baz");
109118

@@ -129,10 +138,12 @@ public void bailsOutWithVariousErrorCodes() throws Exception {
129138
filter.init(config);
130139
filter.doFilter(req, resp, next);
131140
verify(resp).sendError(404, "/baz");
141+
System.clearProperty("ControlFilterTests");
132142
}
133143

134144
@Test
135145
public void redirectAllAllowed() throws Exception {
146+
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
136147
when(config.getInitParameter("redirectPath")).thenReturn("/bar");
137148
when(config.getInitParameter("forceRedirectAll")).thenReturn("Y");
138149
when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
@@ -141,10 +152,12 @@ public void redirectAllAllowed() throws Exception {
141152
filter.init(config);
142153
filter.doFilter(req, resp, next);
143154
verify(resp).sendRedirect("/bar");
155+
System.clearProperty("ControlFilterTests");
144156
}
145157

146158
@Test
147159
public void redirectAllNotAllowed() throws Exception {
160+
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
148161
when(config.getInitParameter("redirectPath")).thenReturn("/bar");
149162
when(config.getInitParameter("forceRedirectAll")).thenReturn("Y");
150163
when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
@@ -153,10 +166,12 @@ public void redirectAllNotAllowed() throws Exception {
153166
filter.init(config);
154167
filter.doFilter(req, resp, next);
155168
verify(resp).sendRedirect("/bar");
169+
System.clearProperty("ControlFilterTests");
156170
}
157171

158172
@Test
159173
public void redirectAllRecursive() throws Exception {
174+
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
160175
when(config.getInitParameter("redirectPath")).thenReturn("/foo");
161176
when(config.getInitParameter("forceRedirectAll")).thenReturn("Y");
162177
when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
@@ -174,5 +189,6 @@ public void redirectAllRecursive() throws Exception {
174189
filter.doFilter(req, resp, next);
175190
verify(next).doFilter(req, resp);
176191
verify(session).removeAttribute("_FORCE_REDIRECT_");
192+
System.clearProperty("ControlFilterTests");
177193
}
178194
}

0 commit comments

Comments
 (0)