From dd9eb26d43fa21ffcc014cc5e638085396b3da87 Mon Sep 17 00:00:00 2001
From: Harry Smith <hsmith@greshamtech.com>
Date: Thu, 25 Mar 2021 07:47:25 +0000
Subject: [PATCH] DWN-37025 : mitigate vulnerability in client logo and
 unauthorised endpoints

---
 .../src/main/webapp/WEB-INF/views/approve.jsp |  6 ++--
 .../webapp/WEB-INF/views/approveDevice.jsp    |  6 ++--
 .../webapp/resources/template/client.html     |  4 ++-
 .../mitre/openid/connect/web/ClientAPI.java   | 28 -------------------
 .../DynamicClientRegistrationEndpoint.java    |  1 +
 ...ProtectedResourceRegistrationEndpoint.java |  1 +
 6 files changed, 13 insertions(+), 33 deletions(-)

diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp b/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
index 4d3dda8ce..914363629 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
@@ -85,7 +85,9 @@
 					<c:if test="${ not empty client.logoUri }">
 						<ul class="thumbnails">
 							<li class="span5">
-								<a class="thumbnail" data-toggle="modal" data-target="#logoModal"><img src="api/clients/${ client.id }/logo" /></a>
+								<a class="thumbnail" data-toggle="modal" data-target="#logoModal">
+                                    <img src="<c:out value="${ client.logoUri }" />" referrerpolicy="no-referrer" />
+                                </a>
 							</li>
 						</ul>
 						<!-- Modal -->
@@ -104,7 +106,7 @@
 								</h3>
 							</div>
 							<div class="modal-body">
-								<img src="api/clients/${ client.id }/logo" />
+								<img src="<c:out value="${ client.logoUri }" />" referrerpolicy="no-referrer" />
 								<c:if test="${ not empty client.clientUri }">
 									<a href="<c:out value="${ client.clientUri }" />"><c:out value="${ client.clientUri }" /></a>
 								</c:if>
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approveDevice.jsp b/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approveDevice.jsp
index c49e1e874..4856f1923 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approveDevice.jsp
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approveDevice.jsp
@@ -85,7 +85,9 @@
 					<c:if test="${ not empty client.logoUri }">
 						<ul class="thumbnails">
 							<li class="span5">
-								<a class="thumbnail" data-toggle="modal" data-target="#logoModal"><img src="api/clients/${ client.id }/logo" /></a>
+								<a class="thumbnail" data-toggle="modal" data-target="#logoModal">
+                                    <img src="<c:out value="${ client.logoUri }" />" referrerpolicy="no-referrer" />
+                                </a>
 							</li>
 						</ul>
 						<!-- Modal -->
@@ -104,7 +106,7 @@
 								</h3>
 							</div>
 							<div class="modal-body">
-								<img src="api/clients/${ client.id }/logo" />
+								<img src="<c:out value="${ client.logoUri }" />" referrerpolicy="no-referrer" />
 								<c:if test="${ not empty client.clientUri }">
 									<a href="<c:out value="${ client.clientUri }" />"><c:out value="${ client.clientUri }" /></a>
 								</c:if>
diff --git a/openid-connect-server-webapp/src/main/webapp/resources/template/client.html b/openid-connect-server-webapp/src/main/webapp/resources/template/client.html
index c7ceb88d4..9d35166c1 100644
--- a/openid-connect-server-webapp/src/main/webapp/resources/template/client.html
+++ b/openid-connect-server-webapp/src/main/webapp/resources/template/client.html
@@ -26,7 +26,9 @@
 
 		<div class="media">
 			<% if (client.logoUri) { %>
-				<span class="pull-left"><img class="media-object client-logo" src="api/clients/<%- client.id %>/logo"></span>
+				<span class="pull-left">
+					<img class="media-object client-logo" src="<%- client.logoUri %>" referrerpolicy="no-referrer" />
+				</span>
 			<% } %>
 
 			<div class="media-body">
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
index a3943fba5..6213f2c77 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
@@ -133,9 +133,6 @@ public class ClientAPI {
 	@Autowired
 	private ClientDetailsEntityService clientService;
 
-	@Autowired
-	private ClientLogoLoadingService clientLogoLoadingService;
-
 	@Autowired
 	@Qualifier("clientAssertionValidator")
 	private AssertionValidator assertionValidator;
@@ -519,31 +516,6 @@ public class ClientAPI {
 		}
 	}
 
-	/**
-	 * Get the logo image for a client
-	 * @param id
-	 */
-	@RequestMapping(value = "/{id}/logo", method=RequestMethod.GET, produces = { MediaType.IMAGE_GIF_VALUE, MediaType.IMAGE_JPEG_VALUE, MediaType.IMAGE_PNG_VALUE })
-	public ResponseEntity<byte[]> getClientLogo(@PathVariable("id") Long id, Model model) {
-
-		ClientDetailsEntity client = clientService.getClientById(id);
-
-		if (client == null) {
-			return new ResponseEntity<>(HttpStatus.NOT_FOUND);
-		} else if (Strings.isNullOrEmpty(client.getLogoUri())) {
-			return new ResponseEntity<>(HttpStatus.NOT_FOUND);
-		} else {
-			// get the image from cache
-			CachedImage image = clientLogoLoadingService.getLogo(client);
-
-			HttpHeaders headers = new HttpHeaders();
-			headers.setContentType(MediaType.parseMediaType(image.getContentType()));
-			headers.setContentLength(image.getLength());
-
-			return new ResponseEntity<>(image.getData(), headers, HttpStatus.OK);
-		}
-	}
-
 	private ClientDetailsEntity validateSoftwareStatement(ClientDetailsEntity newClient) throws ValidationException {
 		if (newClient.getSoftwareStatement() != null) {
 			if (assertionValidator.isValid(newClient.getSoftwareStatement())) {
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java
index a36d539d0..7ba82de26 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java
@@ -150,6 +150,7 @@ public class DynamicClientRegistrationEndpoint {
 	 * @param p
 	 * @return
 	 */
+	@PreAuthorize("hasRole('ROLE_USER')")
 	@RequestMapping(method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
 	public String registerNewClient(@RequestBody String jsonString, Model m) {
 
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ProtectedResourceRegistrationEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ProtectedResourceRegistrationEndpoint.java
index 6465e6377..eaa6568fd 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ProtectedResourceRegistrationEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ProtectedResourceRegistrationEndpoint.java
@@ -91,6 +91,7 @@ public class ProtectedResourceRegistrationEndpoint {
 	 * @param p
 	 * @return
 	 */
+	@PreAuthorize("hasRole('ROLE_USER')")
 	@RequestMapping(method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
 	public String registerNewProtectedResource(@RequestBody String jsonString, Model m) {