V1.6.0 (#515)
* KNOX-2655 - Disallow Userinfo in KnoxSSO originalURL Query Param
diff --git a/gateway-applications/src/main/resources/applications/knoxauth/app/redirecting.jsp b/gateway-applications/src/main/resources/applications/knoxauth/app/redirecting.jsp
index 0b54c48..7a2b94c 100644
--- a/gateway-applications/src/main/resources/applications/knoxauth/app/redirecting.jsp
+++ b/gateway-applications/src/main/resources/applications/knoxauth/app/redirecting.jsp
@@ -14,9 +14,11 @@
-->
<%@ page import="java.util.Collection" %>
<%@ page import="java.util.Map" %>
+<%@ page import="java.net.MalformedURLException" %>
<%@ page import="org.apache.knox.gateway.topology.Topology" %>
<%@ page import="org.apache.knox.gateway.topology.Service" %>
<%@ page import="org.apache.knox.gateway.util.RegExUtils" %>
+<%@ page import="org.apache.knox.gateway.util.Urls" %>
<%@ page import="org.apache.knox.gateway.util.WhitelistUtils" %>
<!DOCTYPE html>
@@ -41,31 +43,43 @@
<script type="text/javascript" src="js/knoxauth.js"></script>
<%
+ boolean validRedirect = true;
String originalUrl = request.getParameter("originalUrl");
- Topology topology = (Topology)request.getSession().getServletContext().getAttribute("org.apache.knox.gateway.topology");
- String whitelist = null;
- Collection services = topology.getServices();
- for (Object service : services) {
- Service svc = (Service)service;
- if (svc.getRole().equals("KNOXSSO")) {
- Map<String, String> params = svc.getParams();
- whitelist = params.get("knoxsso.redirect.whitelist.regex");
+ try {
+ if (Urls.containsUserInfo(originalUrl)) {
+ validRedirect = false;
}
}
- if (whitelist == null) {
+ catch (MalformedURLException ex) {
+ // if not a well formed URL then not a valid redirect
+ validRedirect = false;
+ }
+ if (validRedirect) {
+ Topology topology = (Topology)request.getSession().getServletContext().getAttribute("org.apache.knox.gateway.topology");
+ String whitelist = null;
+ Collection services = topology.getServices();
+ for (Object service : services) {
+ Service svc = (Service)service;
+ if (svc.getRole().equals("KNOXSSO")) {
+ Map<String, String> params = svc.getParams();
+ whitelist = params.get("knoxsso.redirect.whitelist.regex");
+ }
+ }
+ if (whitelist == null) {
whitelist = WhitelistUtils.getDispatchWhitelist(request);
if (whitelist == null) {
- whitelist = "";
+ whitelist = "";
}
+ }
+ validRedirect = RegExUtils.checkWhitelist(whitelist, originalUrl);
}
- boolean validRedirect = RegExUtils.checkWhitelist(whitelist, originalUrl);
if (validRedirect) {
%>
<script>
document.addEventListener("load", redirectOnLoad());
function redirectOnLoad() {
- var originalUrl = "<%= originalUrl %>";
+ var originalUrl = <%= originalUrl %>;
if (originalUrl != null) {
redirect(originalUrl);
}
diff --git a/gateway-util-common/src/main/java/org/apache/knox/gateway/util/Urls.java b/gateway-util-common/src/main/java/org/apache/knox/gateway/util/Urls.java
index bb500a9..fa31ddf 100644
--- a/gateway-util-common/src/main/java/org/apache/knox/gateway/util/Urls.java
+++ b/gateway-util-common/src/main/java/org/apache/knox/gateway/util/Urls.java
@@ -72,6 +72,16 @@
}
/**
+ * Does the provided URL contain UserInfo
+ * @param url
+ * @return true if a URL contains userInfo else false
+ * @throws MalformedURLException
+ */
+ public static boolean containsUserInfo(String url) throws MalformedURLException {
+ return (new URL(url).getUserInfo() != null);
+ }
+
+ /**
* Compute the domain name from an URL.
*
* @param url a given URL
diff --git a/gateway-util-common/src/test/java/org/apache/knox/gateway/util/UrlsTest.java b/gateway-util-common/src/test/java/org/apache/knox/gateway/util/UrlsTest.java
index ec1e331..0f15858 100644
--- a/gateway-util-common/src/test/java/org/apache/knox/gateway/util/UrlsTest.java
+++ b/gateway-util-common/src/test/java/org/apache/knox/gateway/util/UrlsTest.java
@@ -18,6 +18,8 @@
package org.apache.knox.gateway.util;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
import org.junit.Assert;
import org.junit.Test;
@@ -94,4 +96,9 @@
assertEquals( "%3F", Urls.encode( "?" ) );
}
+ @Test
+ public void testContainsUserInfo() throws Exception {
+ assertTrue(Urls.containsUserInfo( "https://www.local.com:8443aa@google.com"));
+ assertFalse(Urls.containsUserInfo( "https://www.local.com:8443/google.com"));
+ }
}
