hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
codeql-cli-2.20.2
codeql/java/ql/test/experimental/query-tests/security/CWE-625/DotRegexSpring.java
luchua-bc b69eba9238 Add check for Spring redirect
2022-07-29 01:59:47 +00:00

76 lines
2.7 KiB
Java
Raw Permalink Blame History

import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.view.RedirectView;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@Controller
public class DotRegexSpring {
private static final String PROTECTED_PATTERN = "/protected/.*";
private static final String CONSTRAINT_PATTERN = "/protected/xyz\\.xml";
@GetMapping("param")
// BAD: A string with line return e.g. `/protected/%0dxyz` can bypass the path check
public String withParam(@RequestParam String path, Model model) throws UnsupportedEncodingException {
Pattern p = Pattern.compile(PROTECTED_PATTERN);
path = decodePath(path);
Matcher m = p.matcher(path);
if (m.matches()) {
// Protected page - check access token and redirect to login page
if (model.getAttribute("secAttr") == null || !model.getAttribute("secAttr").equals("secValue")) {
return "redirect:login";
}
}
// Not protected page - render content
return path;
}
@GetMapping("{path}")
// BAD: A string with line return e.g. `%252Fprotected%252F%250dxyz` can bypass the path check
public RedirectView withPathVariable1(@PathVariable String path, Model model) throws UnsupportedEncodingException {
Pattern p = Pattern.compile(PROTECTED_PATTERN);
path = decodePath(path);
Matcher m = p.matcher(path);
if (m.matches()) {
// Protected page - check access token and redirect to login page
if (model.getAttribute("secAttr") == null || !model.getAttribute("secAttr").equals("secValue")) {
RedirectView redirectView = new RedirectView("login", true);
return redirectView;
}
}
return null;
}
@GetMapping("/sp/{path}")
// GOOD: A string with line return e.g. `%252Fprotected%252F%250dxyz` cannot bypass the path check
public String withPathVariable2(@PathVariable String path, Model model) throws UnsupportedEncodingException {
Pattern p = Pattern.compile(CONSTRAINT_PATTERN);
path = decodePath(path);
Matcher m = p.matcher(path);
if (m.matches()) {
// Protected page - check access token and redirect to login page
if (model.getAttribute("secAttr") == null || !model.getAttribute("secAttr").equals("secValue")) {
return "redirect:login";
}
}
// Not protected page - render content
return path;
}
private String decodePath(String path) throws UnsupportedEncodingException {
while (path.indexOf("%") > -1) {
path = URLDecoder.decode(path, "UTF-8");
}
return path;
}
}
Reference in New Issue View Git Blame Copy Permalink