From 6e4ace778249ba20f8f0609bb35c796c8265a3a0 Mon Sep 17 00:00:00 2001 From: Tobias Polley Date: Thu, 7 Nov 2024 14:48:56 +0100 Subject: [PATCH] added check that URL survives encoding --- .../core/oauth2/OAuth2AuthFlowClient.java | 7 +++--- .../core/oauth2/OAuth2RedirectTest.java | 24 +++++++++++++++++++ 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/core/src/test/java/com/predic8/membrane/core/oauth2/OAuth2AuthFlowClient.java b/core/src/test/java/com/predic8/membrane/core/oauth2/OAuth2AuthFlowClient.java index 5a01fdf12f..a9296a42f0 100644 --- a/core/src/test/java/com/predic8/membrane/core/oauth2/OAuth2AuthFlowClient.java +++ b/core/src/test/java/com/predic8/membrane/core/oauth2/OAuth2AuthFlowClient.java @@ -13,7 +13,8 @@ public class OAuth2AuthFlowClient { - private static final String CLIENT_URL = "http://localhost:2000"; + private static final String CLIENT_BASE_URL = "http://localhost:2000"; + private static final String CLIENT_URL = CLIENT_BASE_URL + "/a?b=c&d= "; private static final String AUTH_SERVER_URL = "http://localhost:2002"; static Map cookies = new HashMap<>(); @@ -123,7 +124,7 @@ static String step8redirectToClient() { .post(AUTH_SERVER_URL) .then() .statusCode(307) - .header(LOCATION, matchesPattern(CLIENT_URL + ".*")) + .header(LOCATION, matchesPattern(CLIENT_BASE_URL + ".*")) .extract().response().getHeader(LOCATION); } @@ -135,7 +136,7 @@ static void step9exchangeCodeForToken(String location) { .post(location) .then() .statusCode(307) - .header(LOCATION, "/") + .header(LOCATION, "/a?b=c&d=%20") .extract().response(); } diff --git a/core/src/test/java/com/predic8/membrane/core/oauth2/OAuth2RedirectTest.java b/core/src/test/java/com/predic8/membrane/core/oauth2/OAuth2RedirectTest.java index 1cb013c27f..c4900bb106 100644 --- a/core/src/test/java/com/predic8/membrane/core/oauth2/OAuth2RedirectTest.java +++ b/core/src/test/java/com/predic8/membrane/core/oauth2/OAuth2RedirectTest.java @@ -1,8 +1,11 @@ package com.predic8.membrane.core.oauth2; import com.predic8.membrane.core.Router; +import com.predic8.membrane.core.exchange.Exchange; import com.predic8.membrane.core.exchangestore.ForgetfulExchangeStore; +import com.predic8.membrane.core.interceptor.AbstractInterceptor; import com.predic8.membrane.core.interceptor.LogInterceptor; +import com.predic8.membrane.core.interceptor.Outcome; import com.predic8.membrane.core.interceptor.authentication.session.StaticUserDataProvider; import com.predic8.membrane.core.interceptor.flow.ConditionalInterceptor; import com.predic8.membrane.core.interceptor.misc.ReturnInterceptor; @@ -29,16 +32,20 @@ import java.io.IOException; import java.util.ArrayList; import java.util.List; +import java.util.concurrent.atomic.AtomicReference; import static com.predic8.membrane.core.interceptor.LogInterceptor.Level.DEBUG; import static com.predic8.membrane.core.interceptor.flow.ConditionalInterceptor.LanguageType.SPEL; import static com.predic8.membrane.core.oauth2.OAuth2AuthFlowClient.*; +import static org.junit.jupiter.api.Assertions.assertEquals; public class OAuth2RedirectTest { static Router azureRouter; static Router membraneRouter; static Router nginxRouter; + static AtomicReference firstUrlHit = new AtomicReference<>(); + static AtomicReference targetUrlHit = new AtomicReference<>(); @BeforeAll static void setup() throws Exception { @@ -78,6 +85,8 @@ void testGet() { // Step 10: Make the authenticated POST request step10makeAuthPostRequest(); + + assertEquals(firstUrlHit.get(), targetUrlHit.get(), "Check that URL survived encoding."); } private static ConditionalInterceptor createConditionalInterceptorWithReturnMessage(String test, String returnMessage) { @@ -108,6 +117,13 @@ private static Router startProxyRule(Rule azureRule) throws Exception { private static @NotNull Rule getNginxRule() { Rule nginxRule = new ServiceProxy(new ServiceProxyKey("localhost", "*", ".*", 2001), "localhost", 80); + nginxRule.getInterceptors().add(new AbstractInterceptor() { + @Override + public Outcome handleRequest(Exchange exc) throws Exception { + targetUrlHit.set(exc.getRequest().getUri()); + return Outcome.CONTINUE; + } + }); nginxRule.getInterceptors().add(createConditionalInterceptorWithReturnMessage("method == 'POST'", "POST")); nginxRule.getInterceptors().add(createConditionalInterceptorWithReturnMessage("method == 'GET'", "GET")); nginxRule.getInterceptors().add(new ReturnInterceptor()); @@ -116,6 +132,14 @@ private static Router startProxyRule(Rule azureRule) throws Exception { private static @NotNull Rule getMembraneRule() { Rule membraneRule = new ServiceProxy(new ServiceProxyKey("localhost", "*", ".*", 2000), "localhost", 2001); + membraneRule.getInterceptors().add(new AbstractInterceptor() { + @Override + public Outcome handleRequest(Exchange exc) throws Exception { + if (firstUrlHit.get() == null) + firstUrlHit.set(exc.getRequest().getUri()); + return Outcome.CONTINUE; + } + }); membraneRule.getInterceptors().add(new OAuth2Resource2Interceptor() {{ setSessionManager(new InMemorySessionManager()); setAuthService(new MembraneAuthorizationService() {{