From 5de499331924dafc42944b8853d6c3d84204bfa6 Mon Sep 17 00:00:00 2001 From: mharindu Date: Tue, 28 Jun 2016 17:23:39 +0530 Subject: [PATCH] Fixed URL tampering issue --- .../pom.xml | 7 ++++++- .../framework/AuthenticationFrameworkUtil.java | 3 ++- .../framework/WebappAuthenticationValve.java | 8 ++++---- .../framework/authorizer/PermissionAuthorizer.java | 5 +++-- pom.xml | 6 ++++++ 5 files changed, 21 insertions(+), 8 deletions(-) diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml index 6893eb1e886..5927c345dae 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml @@ -121,7 +121,8 @@ org.wso2.carbon.registry.core.*, org.wso2.carbon.registry.common.*;version="${carbon.registry.imp.pkg.version.range}", org.wso2.carbon.registry.indexing.*; version="${carbon.registry.imp.pkg.version.range}", - org.wso2.carbon.base + org.wso2.carbon.base, + org.owasp.encoder @@ -226,6 +227,10 @@ org.wso2.carbon org.wso2.carbon.registry.core + + org.wso2.orbit.org.owasp.encoder + encoder + diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java index 72fe8c958d3..1ae7b831162 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java @@ -21,6 +21,7 @@ import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.owasp.encoder.Encode; import org.w3c.dom.Document; import org.wso2.carbon.apimgt.api.APIManagementException; import org.wso2.carbon.apimgt.core.authenticate.APITokenValidator; @@ -42,7 +43,7 @@ public class AuthenticationFrameworkUtil { public static void handleNoMatchAuthScheme(Request request, Response response, String httpVerb, String version, String context) { String msg = "Resource is not matched for HTTP Verb: '" + httpVerb + "', API context: '" + context + - "', Version: '" + version + "' and RequestURI: '" + request.getRequestURI() + "'"; + "', Version: '" + version + "' and RequestURI: '" + Encode.forHtml(request.getRequestURI()) + "'"; handleResponse(request, response, HttpServletResponse.SC_FORBIDDEN, msg); } diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java index 93ab9c32a3b..feb5c77415f 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java @@ -22,6 +22,7 @@ import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.owasp.encoder.Encode; import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve; import org.wso2.carbon.tomcat.ext.valves.CompositeValve; @@ -151,11 +152,10 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { response.setHeader("WWW-Authenticate", msg); } if (log.isDebugEnabled()) { - log.debug(msg + " , API : " + request.getRequestURI()); + log.debug(msg + " , API : " + Encode.forUriComponent(request.getRequestURI())); } - AuthenticationFrameworkUtil - .handleResponse(request, response, HttpServletResponse.SC_UNAUTHORIZED, - msg); + AuthenticationFrameworkUtil. + handleResponse(request, response, HttpServletResponse.SC_UNAUTHORIZED, msg); break; } } diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java index efbe30bc5b0..6d5138d3a2f 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java @@ -22,6 +22,7 @@ import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.owasp.encoder.Encode; import org.wso2.carbon.context.CarbonContext; import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException; @@ -57,13 +58,13 @@ public class PermissionAuthorizer { requestPermission = registryBasedPermissionManager.getPermission(properties); } catch (PermissionManagementException e) { log.error( - "Error occurred while fetching the permission for URI : " + requestUri + " ," + + "Error occurred while fetching the permission for URI : " + Encode.forJava(requestUri) + " ," + " METHOD : " + requestMethod + ", msg = " + e.getMessage()); } if (requestPermission == null) { if (log.isDebugEnabled()) { - log.debug("Permission to request '" + requestUri + "' is not defined in the configuration"); + log.debug("Permission to request '" + Encode.forJava(requestUri) + "' is not defined in the configuration"); } return WebappAuthenticator.Status.FAILURE; } diff --git a/pom.xml b/pom.xml index 40e528385b0..c4f84666893 100644 --- a/pom.xml +++ b/pom.xml @@ -1511,6 +1511,11 @@ jackson-annotations ${jackson-annotations.version} + + org.wso2.orbit.org.owasp.encoder + encoder + ${owasp.encoder.version} + @@ -1880,6 +1885,7 @@ 1.0.2 2.7.4 + 1.2.0.wso2v1