github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

DWN-39926 : validate whitelist scopes are alphabet characters

pull/1601/head
Harry Smith 2023-01-03 15:01:42 +00:00
parent 8ad0c43d6a
commit b6f361b627
2 changed files with 48 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
openid-connect-server/src/main/java/org/mitre/openid/connect/exception/WhitelistScopesException.java Normal file
View File

@ -0,0 +1,25 @@
/**
* <copyright>
* <p>
* Copyright (c) 2010-2023 Gresham Technologies plc. All rights reserved.
*
* </copyright>
*/
package org.mitre.openid.connect.exception;
/**
* @author hwsmith
*/
public class WhitelistScopesException extends Exception {
private final String invalidScope;
public WhitelistScopesException(String invalidScope) {
this.invalidScope = invalidScope;
}
public String getMessage() {
return "The scope " + invalidScope + " is invalid as it contains non-alphabet characters";
}
}

25
openid-connect-server/src/main/java/org/mitre/openid/connect/web/WhitelistAPI.java
View File

@ -22,7 +22,9 @@ package org.mitre.openid.connect.web;
import java.security.Principal;
import java.util.Collection;
import java.util.Set;
import org.mitre.openid.connect.exception.WhitelistScopesException;
import org.mitre.openid.connect.model.WhitelistedSite;
import org.mitre.openid.connect.service.WhitelistedSiteService;
import org.mitre.openid.connect.view.HttpCodeView;
@ -56,6 +58,7 @@ import com.google.gson.JsonParser;
public class WhitelistAPI {
public static final String URL = RootController.API_URL + "/whitelist";
private static final String characterMatcher = "[a-zA-Z]+";
@Autowired
private WhitelistedSiteService whitelistService;
@ -100,7 +103,12 @@ public class WhitelistAPI {
try {
json = parser.parse(jsonString).getAsJsonObject();
whitelist = gson.fromJson(json, WhitelistedSite.class);
validateWhitelistScopes(whitelist.getAllowedScopes());
} catch (WhitelistScopesException e) {
logger.error("addNewWhitelistedSite failed due to WhitelistException. {}", e.getMessage());
m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Could not save new whitelisted site. The server encountered a whitelist exception. Contact a system administrator for assistance.");
return JsonErrorView.VIEWNAME;
} catch (JsonParseException e) {
logger.error("addNewWhitelistedSite failed due to JsonParseException", e);
m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
@ -137,7 +145,12 @@ public class WhitelistAPI {
try {
json = parser.parse(jsonString).getAsJsonObject();
whitelist = gson.fromJson(json, WhitelistedSite.class);
validateWhitelistScopes(whitelist.getAllowedScopes());
} catch (WhitelistScopesException e) {
logger.error("addNewWhitelistedSite failed due to WhitelistScopeException. {}", e.getMessage());
m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Could not save new whitelisted site. The server encountered a whitelist scope exception. Contact a system administrator for assistance.");
return JsonErrorView.VIEWNAME;
} catch (JsonParseException e) {
logger.error("updateWhitelistedSite failed due to JsonParseException", e);
m.put(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
@ -167,6 +180,14 @@ public class WhitelistAPI {
}
}
private void validateWhitelistScopes(Set<String> scopes) throws WhitelistScopesException {
for (String s : scopes) {
if (!s.matches(characterMatcher)) {
throw new WhitelistScopesException(s);
}
}
}
/**
* Delete a whitelisted site
*