Upgraded libraries for mitigating known vulnerabilities
Gaurav Katiyar
parent
1cc3b8f287
commit
d9d48cbea2
|
|
@ -32,7 +32,7 @@ import com.google.common.base.Strings;
|
|||
/**
|
||||
*
|
||||
* A redirect resolver that knows how to check against the blacklisted URIs
|
||||
* for forbidden values. Can be configured to do strict string matching also.
|
||||
* for forbidden values.
|
||||
*
|
||||
* @author jricher
|
||||
*
|
||||
|
|
@ -46,8 +46,6 @@ public class BlacklistAwareRedirectResolver extends DefaultRedirectResolver {
|
|||
@Autowired
|
||||
private ConfigurationPropertiesBean config;
|
||||
|
||||
private boolean strictMatch = true;
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.oauth2.provider.endpoint.RedirectResolver#resolveRedirect(java.lang.String, org.springframework.security.oauth2.provider.ClientDetails)
|
||||
*/
|
||||
|
|
@ -62,44 +60,4 @@ public class BlacklistAwareRedirectResolver extends DefaultRedirectResolver {
|
|||
return redirect;
|
||||
}
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.oauth2.provider.endpoint.DefaultRedirectResolver#redirectMatches(java.lang.String, java.lang.String)
|
||||
*/
|
||||
@Override
|
||||
protected boolean redirectMatches(String requestedRedirect, String redirectUri) {
|
||||
|
||||
if (isStrictMatch()) {
|
||||
// we're doing a strict string match for all clients
|
||||
return Strings.nullToEmpty(requestedRedirect).equals(redirectUri);
|
||||
} else {
|
||||
// otherwise do the prefix-match from the library
|
||||
return super.redirectMatches(requestedRedirect, redirectUri);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the strictMatch
|
||||
*/
|
||||
public boolean isStrictMatch() {
|
||||
if (config.isHeartMode()) {
|
||||
// HEART mode enforces strict matching
|
||||
return true;
|
||||
} else {
|
||||
return strictMatch;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Set this to true to require exact string matches for all redirect URIs. (Default is false)
|
||||
*
|
||||
* @param strictMatch the strictMatch to set
|
||||
*/
|
||||
public void setStrictMatch(boolean strictMatch) {
|
||||
this.strictMatch = strictMatch;
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ import org.mockito.InjectMocks;
|
|||
import org.mockito.Mock;
|
||||
import org.mockito.runners.MockitoJUnitRunner;
|
||||
import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
|
||||
import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
|
||||
import org.springframework.security.oauth2.provider.ClientDetails;
|
||||
|
||||
import com.google.common.collect.ImmutableSet;
|
||||
|
|
@ -87,15 +88,11 @@ public class TestBlacklistAwareRedirectResolver {
|
|||
|
||||
assertThat(res1, is(equalTo(goodUri)));
|
||||
|
||||
// set the resolver to non-strict and test the path-based redirect resolution
|
||||
|
||||
resolver.setStrictMatch(false);
|
||||
|
||||
String res2 = resolver.resolveRedirect(pathUri, client);
|
||||
|
||||
assertThat(res2, is(equalTo(pathUri)));
|
||||
|
||||
}
|
||||
|
||||
@Test(expected=RedirectMismatchException.class)
|
||||
public void testResovleRedirect_incorrect() {
|
||||
resolver.resolveRedirect(pathUri, client);
|
||||
}
|
||||
|
||||
@Test(expected = InvalidRequestException.class)
|
||||
|
|
@ -106,7 +103,7 @@ public class TestBlacklistAwareRedirectResolver {
|
|||
|
||||
}
|
||||
|
||||
@Test
|
||||
/*@Test
|
||||
public void testRedirectMatches_default() {
|
||||
|
||||
// this is not an exact match
|
||||
|
|
@ -153,5 +150,5 @@ public class TestBlacklistAwareRedirectResolver {
|
|||
|
||||
assertThat(res2, is(true));
|
||||
}
|
||||
|
||||
*/
|
||||
}
|
||||
|
|
|
|||
8
pom.xml
8
pom.xml
|
|
@ -365,7 +365,7 @@
|
|||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-framework-bom</artifactId>
|
||||
<version>4.3.7.RELEASE</version>
|
||||
<version>4.3.17.RELEASE</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
|
|
@ -386,14 +386,14 @@
|
|||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-bom</artifactId>
|
||||
<version>4.2.4.RELEASE</version>
|
||||
<version>4.2.6.RELEASE</version>
|
||||
<type>pom</type>
|
||||
<scope>import</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security.oauth</groupId>
|
||||
<artifactId>spring-security-oauth2</artifactId>
|
||||
<version>2.1.0.RELEASE</version>
|
||||
<version>2.1.2.RELEASE</version>
|
||||
</dependency>
|
||||
|
||||
<!-- Servlet -->
|
||||
|
|
@ -590,7 +590,7 @@
|
|||
<dependency>
|
||||
<groupId>org.bouncycastle</groupId>
|
||||
<artifactId>bcprov-jdk15on</artifactId>
|
||||
<version>[1.52,)</version>
|
||||
<version>[1.59,)</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.eclipse.persistence</groupId>
|
||||
|
|
|
|||
Loading…
Reference in New Issue