Skip to content

Commit 84143a4

Browse files
committed
Improved: Check parameters passed in URLs (OFBIZ-13295)
Better completely bypass "Prevents stream exploitation" block in ControlFilter.java Also better uses the token bypassPreventsStreamExploitation in ControlFilterTests
1 parent ff547c2 commit 84143a4

2 files changed

Lines changed: 30 additions & 31 deletions

File tree

framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java

Lines changed: 22 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -170,33 +170,32 @@ public void doFilter(HttpServletRequest req, HttpServletResponse resp, FilterCha
170170
String context = req.getContextPath();
171171
HttpSession session = req.getSession();
172172

173-
// Prevents stream exploitation
174-
175173
if (!isControlFilterTests()) {
174+
// Prevents stream exploitation
176175
UrlServletHelper.setRequestAttributes(req, null, req.getServletContext());
177-
}
178-
Map<String, Object> parameters = UtilHttp.getParameterMap(req);
179-
boolean reject = false;
180-
if (!parameters.isEmpty()) {
181-
for (String key : parameters.keySet()) {
182-
Object object = parameters.get(key);
183-
if (object.getClass().equals(String.class)
184-
|| object instanceof Collection) {
185-
try {
186-
List<String> toCheck = object.getClass().equals(String.class)
187-
? List.of((String) object)
188-
: UtilGenerics.checkCollection(object, String.class);
189-
reject = toCheck.stream()
190-
.anyMatch(val -> val.contains("<"));
191-
} catch (IllegalArgumentException e) {
192-
Debug.logWarning(e, MODULE);
193-
reject = true;
176+
Map<String, Object> parameters = UtilHttp.getParameterMap(req);
177+
boolean reject = false;
178+
if (!parameters.isEmpty()) {
179+
for (String key : parameters.keySet()) {
180+
Object object = parameters.get(key);
181+
if (object.getClass().equals(String.class)
182+
|| object instanceof Collection) {
183+
try {
184+
List<String> toCheck = object.getClass().equals(String.class)
185+
? List.of((String) object)
186+
: UtilGenerics.checkCollection(object, String.class);
187+
reject = toCheck.stream()
188+
.anyMatch(val -> val.contains("<"));
189+
} catch (IllegalArgumentException e) {
190+
Debug.logWarning(e, MODULE);
191+
reject = true;
192+
}
194193
}
195194
}
196-
}
197-
if (reject) {
198-
Debug.logError("For security reason this URL is not accepted", MODULE);
199-
throw new RuntimeException("For security reason this URL is not accepted");
195+
if (reject) {
196+
Debug.logError("For security reason this URL is not accepted", MODULE);
197+
throw new RuntimeException("For security reason this URL is not accepted");
198+
}
200199
}
201200
}
202201

framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/ControlFilterTests.java

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,7 @@ public void setUp() {
5858

5959
@Test
6060
public void filterWithExactAllowedPath() throws Exception {
61-
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
61+
System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
6262
when(config.getInitParameter("redirectPath")).thenReturn("/foo");
6363
when(config.getInitParameter("allowedPaths")).thenReturn("/foo:/bar");
6464
when(req.getRequestURI()).thenReturn("/servlet/bar");
@@ -72,7 +72,7 @@ public void filterWithExactAllowedPath() throws Exception {
7272

7373
@Test
7474
public void filterWithAllowedSubPath() throws Exception {
75-
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
75+
System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
7676
when(config.getInitParameter("redirectPath")).thenReturn("/foo");
7777
when(config.getInitParameter("allowedPaths")).thenReturn("/foo:/bar");
7878
when(req.getRequestURI()).thenReturn("/servlet/bar/baz");
@@ -86,7 +86,7 @@ public void filterWithAllowedSubPath() throws Exception {
8686

8787
@Test
8888
public void filterWithRedirection() throws Exception {
89-
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
89+
System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
9090
when(config.getInitParameter("redirectPath")).thenReturn("/foo");
9191
when(config.getInitParameter("allowedPaths")).thenReturn("/bar:/baz");
9292
when(req.getRequestURI()).thenReturn("/missing/path");
@@ -99,7 +99,7 @@ public void filterWithRedirection() throws Exception {
9999

100100
@Test
101101
public void filterWithURIredirection() throws Exception {
102-
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
102+
System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
103103
when(config.getInitParameter("redirectPath")).thenReturn("http://example.org/foo");
104104
when(config.getInitParameter("allowedPaths")).thenReturn("/foo:/bar");
105105
when(req.getRequestURI()).thenReturn("/baz");
@@ -112,7 +112,7 @@ public void filterWithURIredirection() throws Exception {
112112

113113
@Test
114114
public void bailsOutWithVariousErrorCodes() throws Exception {
115-
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
115+
System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
116116
when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
117117
when(req.getRequestURI()).thenReturn("/baz");
118118

@@ -143,7 +143,7 @@ public void bailsOutWithVariousErrorCodes() throws Exception {
143143

144144
@Test
145145
public void redirectAllAllowed() throws Exception {
146-
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
146+
System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
147147
when(config.getInitParameter("redirectPath")).thenReturn("/bar");
148148
when(config.getInitParameter("forceRedirectAll")).thenReturn("Y");
149149
when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
@@ -157,7 +157,7 @@ public void redirectAllAllowed() throws Exception {
157157

158158
@Test
159159
public void redirectAllNotAllowed() throws Exception {
160-
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
160+
System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
161161
when(config.getInitParameter("redirectPath")).thenReturn("/bar");
162162
when(config.getInitParameter("forceRedirectAll")).thenReturn("Y");
163163
when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
@@ -171,7 +171,7 @@ public void redirectAllNotAllowed() throws Exception {
171171

172172
@Test
173173
public void redirectAllRecursive() throws Exception {
174-
System.setProperty("ControlFilterTests", "runsAfterControlFilter");
174+
System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
175175
when(config.getInitParameter("redirectPath")).thenReturn("/foo");
176176
when(config.getInitParameter("forceRedirectAll")).thenReturn("Y");
177177
when(config.getInitParameter("allowedPaths")).thenReturn("/foo");

0 commit comments

Comments
 (0)