github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Upgraded libraries for mitigating known vulnerabilities

pull/1601/head
Gaurav Katiyar 2018-05-30 11:36:50 +01:00
parent 1cc3b8f287
commit d9d48cbea2
3 changed files with 12 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/BlacklistAwareRedirectResolver.java
View File

@ -32,7 +32,7 @@ import com.google.common.base.Strings;
/** /**
* *
* A redirect resolver that knows how to check against the blacklisted URIs * A redirect resolver that knows how to check against the blacklisted URIs
* for forbidden values. Can be configured to do strict string matching also. * for forbidden values.
* *
* @author jricher * @author jricher
* *
@ -46,8 +46,6 @@ public class BlacklistAwareRedirectResolver extends DefaultRedirectResolver {
@Autowired @Autowired
private ConfigurationPropertiesBean config; private ConfigurationPropertiesBean config;
private boolean strictMatch = true;
/* (non-Javadoc) /* (non-Javadoc)
* @see org.springframework.security.oauth2.provider.endpoint.RedirectResolver#resolveRedirect(java.lang.String, org.springframework.security.oauth2.provider.ClientDetails) * @see org.springframework.security.oauth2.provider.endpoint.RedirectResolver#resolveRedirect(java.lang.String, org.springframework.security.oauth2.provider.ClientDetails)
*/ */
@ -62,44 +60,4 @@ public class BlacklistAwareRedirectResolver extends DefaultRedirectResolver {
return redirect; return redirect;
} }
} }
/* (non-Javadoc)
* @see org.springframework.security.oauth2.provider.endpoint.DefaultRedirectResolver#redirectMatches(java.lang.String, java.lang.String)
*/
@Override
protected boolean redirectMatches(String requestedRedirect, String redirectUri) {
if (isStrictMatch()) {
// we're doing a strict string match for all clients
return Strings.nullToEmpty(requestedRedirect).equals(redirectUri);
} else {
// otherwise do the prefix-match from the library
return super.redirectMatches(requestedRedirect, redirectUri);
}
}
/**
* @return the strictMatch
*/
public boolean isStrictMatch() {
if (config.isHeartMode()) {
// HEART mode enforces strict matching
return true;
} else {
return strictMatch;
}
}
/**
* Set this to true to require exact string matches for all redirect URIs. (Default is false)
*
* @param strictMatch the strictMatch to set
*/
public void setStrictMatch(boolean strictMatch) {
this.strictMatch = strictMatch;
}
} }

17
openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestBlacklistAwareRedirectResolver.java
View File

@ -27,6 +27,7 @@ import org.mockito.InjectMocks;
import org.mockito.Mock; import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner; import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.security.oauth2.common.exceptions.InvalidRequestException; import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
import org.springframework.security.oauth2.provider.ClientDetails; import org.springframework.security.oauth2.provider.ClientDetails;
import com.google.common.collect.ImmutableSet; import com.google.common.collect.ImmutableSet;
@ -87,15 +88,11 @@ public class TestBlacklistAwareRedirectResolver {
assertThat(res1, is(equalTo(goodUri))); assertThat(res1, is(equalTo(goodUri)));
// set the resolver to non-strict and test the path-based redirect resolution }
resolver.setStrictMatch(false);
String res2 = resolver.resolveRedirect(pathUri, client);
assertThat(res2, is(equalTo(pathUri)));
@Test(expected=RedirectMismatchException.class)
public void testResovleRedirect_incorrect() {
resolver.resolveRedirect(pathUri, client);
} }
@Test(expected = InvalidRequestException.class) @Test(expected = InvalidRequestException.class)
@ -106,7 +103,7 @@ public class TestBlacklistAwareRedirectResolver {
} }
@Test /*@Test
public void testRedirectMatches_default() { public void testRedirectMatches_default() {
// this is not an exact match // this is not an exact match
@ -153,5 +150,5 @@ public class TestBlacklistAwareRedirectResolver {
assertThat(res2, is(true)); assertThat(res2, is(true));
} }
*/
} }

8
pom.xml
View File

@ -365,7 +365,7 @@
<dependency> <dependency>
<groupId>org.springframework</groupId> <groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId> <artifactId>spring-framework-bom</artifactId>
<version>4.3.7.RELEASE</version> <version>4.3.17.RELEASE</version>
<type>pom</type> <type>pom</type>
<scope>import</scope> <scope>import</scope>
</dependency> </dependency>
@ -386,14 +386,14 @@
<dependency> <dependency>
<groupId>org.springframework.security</groupId> <groupId>org.springframework.security</groupId>
<artifactId>spring-security-bom</artifactId> <artifactId>spring-security-bom</artifactId>
<version>4.2.4.RELEASE</version> <version>4.2.6.RELEASE</version>
<type>pom</type> <type>pom</type>
<scope>import</scope> <scope>import</scope>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.springframework.security.oauth</groupId> <groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId> <artifactId>spring-security-oauth2</artifactId>
<version>2.1.0.RELEASE</version> <version>2.1.2.RELEASE</version>
</dependency> </dependency>
<!-- Servlet --> <!-- Servlet -->
@ -590,7 +590,7 @@
<dependency> <dependency>
<groupId>org.bouncycastle</groupId> <groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId> <artifactId>bcprov-jdk15on</artifactId>
<version>[1.52,)</version> <version>[1.59,)</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.eclipse.persistence</groupId> <groupId>org.eclipse.persistence</groupId>