Backport: reject set-cookie domain that doesn't match the request host (#2199)

Backport of: #2196

Author: hyperxpro

bom/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.asynchttpclient</groupId>
         <artifactId>async-http-client-project</artifactId>
-        <version>2.15.0</version>
+        <version>2.16.0</version>
     </parent>
 
     <artifactId>async-http-client-bom</artifactId>

client/pom.xml

@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-project</artifactId>
-    <version>2.15.0</version>
+    <version>2.16.0</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client</artifactId>

client/src/main/java/org/asynchttpclient/cookie/ThreadSafeCookieStore.java

@@ -154,6 +154,11 @@ private boolean hasCookieExpired(Cookie cookie, long whenCreated) {
       return false;
   }
 
+  // rfc6265#section-5.1.3
+  private boolean domainsMatch(String cookieDomain, String requestDomain) {
+    return requestDomain.equals(cookieDomain) || requestDomain.endsWith('.' + cookieDomain);
+  }
+
   // rfc6265#section-5.1.4
   private boolean pathsMatch(String cookiePath, String requestPath) {
     return Objects.equals(cookiePath, requestPath) ||
@@ -164,6 +169,14 @@ private void add(String requestDomain, String requestPath, Cookie cookie) {
     AbstractMap.SimpleEntry<String, Boolean> pair = cookieDomain(cookie.domain(), requestDomain);
     String keyDomain = pair.getKey();
     boolean hostOnly = pair.getValue();
+
+    // rfc6265#section-5.3 step 6: ignore a cookie whose Domain attribute is not
+    // domain-matched by the request host, otherwise a host can plant cookies for
+    // unrelated domains (cookie tossing).
+    if (!hostOnly && !domainsMatch(keyDomain, requestDomain)) {
+      return;
+    }
+
     String keyPath = cookiePath(cookie.path(), requestPath);
     CookieKey key = new CookieKey(cookie.name().toLowerCase(), keyPath);
 

client/src/test/java/org/asynchttpclient/CookieStoreTest.java

@@ -55,6 +55,7 @@ public void tearDownGlobal() {
   public void runAllSequentiallyBecauseNotThreadSafe() throws Exception {
     addCookieWithEmptyPath();
     dontReturnCookieForAnotherDomain();
+    dontStoreCookieForUnrelatedDomainAttribute();
     returnCookieWhenItWasSetOnSamePath();
     returnCookieWhenItWasSetOnParentPath();
     dontReturnCookieWhenDomainMatchesButPathIsDifferent();
@@ -93,6 +94,14 @@ private void addCookieWithEmptyPath() {
     assertTrue(store.get(uri).size() > 0);
   }
 
+  // rfc6265#section-5.3 step 6: a host must not be able to set a cookie for an unrelated domain
+  private void dontStoreCookieForUnrelatedDomainAttribute() {
+    CookieStore store = new ThreadSafeCookieStore();
+    store.add(Uri.create("http://www.evil.com/"), ClientCookieDecoder.LAX.decode("SID=attacker; Domain=victim.com"));
+    assertTrue(store.get(Uri.create("https://victim.com/account")).isEmpty());
+    assertTrue(store.getAll().isEmpty());
+  }
+
   private void dontReturnCookieForAnotherDomain() {
     CookieStore store = new ThreadSafeCookieStore();
     store.add(Uri.create("http://www.foo.com"), ClientCookieDecoder.LAX.decode("ALPHA=VALUE1; path="));

example/pom.xml

@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-project</artifactId>
-    <version>2.15.0</version>
+    <version>2.16.0</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client-example</artifactId>

extras/guava/pom.xml

@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-extras-parent</artifactId>
-    <version>2.15.0</version>
+    <version>2.16.0</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client-extras-guava</artifactId>

extras/jdeferred/pom.xml

@@ -18,7 +18,7 @@
   <parent>
     <artifactId>async-http-client-extras-parent</artifactId>
     <groupId>org.asynchttpclient</groupId>
-    <version>2.15.0</version>
+    <version>2.16.0</version>
   </parent>
   <artifactId>async-http-client-extras-jdeferred</artifactId>
   <name>Asynchronous Http Client JDeferred Extras</name>

extras/pom.xml

@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-project</artifactId>
-    <version>2.15.0</version>
+    <version>2.16.0</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client-extras-parent</artifactId>

extras/registry/pom.xml

@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-extras-parent</artifactId>
-    <version>2.15.0</version>
+    <version>2.16.0</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client-extras-registry</artifactId>

extras/retrofit2/pom.xml

@@ -4,7 +4,7 @@
   <parent>
     <artifactId>async-http-client-extras-parent</artifactId>
     <groupId>org.asynchttpclient</groupId>
-    <version>2.15.0</version>
+    <version>2.16.0</version>
   </parent>
 
   <artifactId>async-http-client-extras-retrofit2</artifactId>