diff --git a/core/src/main/java/net/adoptopenjdk/icedteaweb/client/controlpanel/panels/ServerWhitelistPanel.java b/core/src/main/java/net/adoptopenjdk/icedteaweb/client/controlpanel/panels/ServerWhitelistPanel.java index 0dd324500..a5645d499 100644 --- a/core/src/main/java/net/adoptopenjdk/icedteaweb/client/controlpanel/panels/ServerWhitelistPanel.java +++ b/core/src/main/java/net/adoptopenjdk/icedteaweb/client/controlpanel/panels/ServerWhitelistPanel.java @@ -22,7 +22,8 @@ import net.adoptopenjdk.icedteaweb.i18n.Translator; import net.adoptopenjdk.icedteaweb.jdk89access.SunMiscLauncher; import net.sourceforge.jnlp.config.DeploymentConfiguration; -import net.sourceforge.jnlp.util.UrlWhiteListUtils; +import net.sourceforge.jnlp.util.whitelist.UrlWhiteListUtils; +import net.sourceforge.jnlp.util.whitelist.WhitelistEntry; import javax.swing.BorderFactory; import javax.swing.ImageIcon; @@ -56,7 +57,7 @@ public ServerWhitelistPanel(final DeploymentConfiguration config) { Assert.requireNonNull(config, "config"); - final List whitelist = UrlWhiteListUtils.getApplicationUrlWhiteList(); + final List whitelist = UrlWhiteListUtils.getApplicationUrlWhiteList(); final JTable table = new JTable(createTableModel(whitelist)); table.getTableHeader().setReorderingAllowed(false); @@ -102,7 +103,7 @@ public Component getTableCellRendererComponent(JTable table, Object value, boole add(scrollPane, BorderLayout.CENTER); } - private TableModel createTableModel(final List whitelist) { + private TableModel createTableModel(final List whitelist) { final String[] colNames = {R("SWPCol0Header"), R("SWPCol1Header")}; return new AbstractTableModel() { @Override @@ -121,12 +122,12 @@ public int getColumnCount() { @Override public Object getValueAt(int rowIndex, int columnIndex) { - UrlWhiteListUtils.WhitelistEntry whitelistEntry = whitelist.get(rowIndex); + WhitelistEntry whitelistEntry = whitelist.get(rowIndex); switch (columnIndex) { case 0: - return whitelistEntry.getWhitelistEntry(); + return whitelistEntry.getRawWhitelistEntry(); case 1: - return new WhitelistEntryState(whitelistEntry.isValid(), whitelistEntry.isValid() ? whitelistEntry.getValidatedWhitelistEntry() : R("SWPINVALIDWLURL") + ": " + whitelistEntry.getErrorMessage()); + return new WhitelistEntryState(whitelistEntry.isValid(), whitelistEntry.isValid() ? whitelistEntry.getEffectiveWhitelistEntry() : R("SWPINVALIDWLURL") + ": " + whitelistEntry.getErrorMessage()); default: throw new IllegalArgumentException(); } diff --git a/core/src/main/java/net/adoptopenjdk/icedteaweb/resources/ResourceHandler.java b/core/src/main/java/net/adoptopenjdk/icedteaweb/resources/ResourceHandler.java index ee264cb16..470140a59 100644 --- a/core/src/main/java/net/adoptopenjdk/icedteaweb/resources/ResourceHandler.java +++ b/core/src/main/java/net/adoptopenjdk/icedteaweb/resources/ResourceHandler.java @@ -11,7 +11,7 @@ import net.adoptopenjdk.icedteaweb.resources.initializer.ResourceInitializer; import net.sourceforge.jnlp.cache.CacheUtil; import net.sourceforge.jnlp.runtime.JNLPRuntime; -import net.sourceforge.jnlp.util.UrlWhiteListUtils; +import net.sourceforge.jnlp.util.whitelist.UrlWhiteListUtils; import java.io.File; import java.net.URL; diff --git a/core/src/main/java/net/sourceforge/jnlp/util/UrlWhiteListUtils.java b/core/src/main/java/net/sourceforge/jnlp/util/whitelist/UrlWhiteListUtils.java similarity index 58% rename from core/src/main/java/net/sourceforge/jnlp/util/UrlWhiteListUtils.java rename to core/src/main/java/net/sourceforge/jnlp/util/whitelist/UrlWhiteListUtils.java index 807fa2589..ad5925022 100644 --- a/core/src/main/java/net/sourceforge/jnlp/util/UrlWhiteListUtils.java +++ b/core/src/main/java/net/sourceforge/jnlp/util/whitelist/UrlWhiteListUtils.java @@ -1,10 +1,11 @@ -package net.sourceforge.jnlp.util; +package net.sourceforge.jnlp.util.whitelist; import net.adoptopenjdk.icedteaweb.Assert; import net.adoptopenjdk.icedteaweb.StringUtils; import net.adoptopenjdk.icedteaweb.logging.Logger; import net.adoptopenjdk.icedteaweb.logging.LoggerFactory; import net.sourceforge.jnlp.runtime.JNLPRuntime; +import net.sourceforge.jnlp.util.IpUtil; import java.net.MalformedURLException; import java.net.URL; @@ -25,7 +26,7 @@ public class UrlWhiteListUtils { public static final String HTTP = "http"; private static final String PROTOCOL_SEPARATOR = "://"; - private final static Logger LOG = LoggerFactory.getLogger(UrlWhiteListUtils.class); + private static final Logger LOG = LoggerFactory.getLogger(UrlWhiteListUtils.class); private static List applicationUrlWhiteList; private static final Lock whiteListLock = new ReentrantLock(); @@ -37,7 +38,7 @@ public static List getApplicationUrlWhiteList() { applicationUrlWhiteList = JNLPRuntime.getConfiguration().getPropertyAsList(KEY_SECURITY_SERVER_WHITELIST) .stream() .filter(s -> !StringUtils.isBlank(s)) - .map(s -> UrlWhiteListUtils.validateWhitelistUrl(s)) + .map(UrlWhiteListUtils::validateWhitelistUrl) .collect(Collectors.toList()); } return applicationUrlWhiteList; @@ -47,10 +48,10 @@ public static List getApplicationUrlWhiteList() { } public static boolean isUrlInApplicationUrlWhitelist(final URL url) { - return isUrlInWhitelist(url, getApplicationUrlWhiteList(), true); + return isUrlInWhitelist(url, getApplicationUrlWhiteList()); } - static boolean isUrlInWhitelist(final URL url, final List whiteList, final boolean allowLocalhost) { + static boolean isUrlInWhitelist(final URL url, final List whiteList) { Assert.requireNonNull(url, "url"); Assert.requireNonNull(whiteList, "whiteList"); @@ -59,68 +60,23 @@ static boolean isUrlInWhitelist(final URL url, final List whiteL } // is it localhost or loopback - if (allowLocalhost && IpUtil.isLocalhostOrLoopback(url)) { + if (IpUtil.isLocalhostOrLoopback(url)) { return true; // local server need not be in whitelist } - final boolean result = whiteList.stream().anyMatch(wlEntry -> { - try { - if (wlEntry.isValid()) { // ignore invalid whitelist entries - final URL wlUrl = new URL(wlEntry.getValidatedWhitelistEntry()); - return isUrlProtocolMatching(wlUrl, url) && isUrlHostMatching(wlUrl, url) && isUrlPortMatching(wlUrl, url); - } else { - return false; - } - } catch (Exception e) { - LOG.warn("Bad white list url: " + wlEntry.getValidatedWhitelistEntry()); - return false; - } - }); - return result; - } - - private static boolean isUrlProtocolMatching(URL url1, URL url2) { - Assert.requireNonNull(url1, "url1"); - Assert.requireNonNull(url2, "url2"); - return Objects.equals(url1.getProtocol(), url2.getProtocol()); - } - - private static boolean isUrlHostMatching(URL wlUrl, URL url) { - Assert.requireNonNull(wlUrl, "wlUrl"); - Assert.requireNonNull(url, "url"); - - // proto://*:port - if (Objects.equals(wlUrl.getHost(), WILDCARD)) { - return true; - } - - final String[] wlUrlHostParts = wlUrl.getHost().split(HOST_PART_REGEX); - final String[] urlHostParts = url.getHost().split(HOST_PART_REGEX); - - if (wlUrlHostParts.length != urlHostParts.length) { - return false; - } - boolean result = true; - for (int i = 0; i < wlUrlHostParts.length; i++) { - // hostparts are equal if whitelist url has * or they are same - result = result && (Objects.equals(wlUrlHostParts[i], WILDCARD) || Objects.equals(wlUrlHostParts[i], urlHostParts[i])); - } - return result; + return whiteList.stream().anyMatch(wlEntry -> wlEntry.matches(url)); } - private static boolean isUrlPortMatching(URL wlUrl, URL url) { - Assert.requireNonNull(wlUrl, "wlUrl"); - Assert.requireNonNull(url, "url"); - - if (wlUrl.getPort() != -1) { - // url does not have port then force default port as we do the same for whitelist url - if (url.getPort() == -1) { - return wlUrl.getPort() == url.getDefaultPort(); - } else { - return wlUrl.getPort() == url.getPort(); - } + static WhitelistEntry validateWhitelistUrl(final String wlUrlStr) { + Assert.requireNonNull(wlUrlStr, "wlUrlStr"); + try { + final String validatedWLUrlProtocol = validateWhitelistUrlProtocol(wlUrlStr); + final String validatedWLUrlStr = validateWhitelistUrlPort(validatedWLUrlProtocol); + final URL validatedUrl = validateWhitelistUrlHost(validatedWLUrlStr); + return WhitelistEntry.validWhitelistEntry(wlUrlStr, validatedUrl); + } catch (Exception e) { + return WhitelistEntry.invalidWhitelistEntry(wlUrlStr, e.getMessage()); } - return true; } private static String validateWhitelistUrlProtocol(final String wlUrlStr) throws MalformedURLException { @@ -151,7 +107,7 @@ private static String validateWhitelistUrlPort(final String wlUrlStr) throws Mal } catch (Exception e) { // if port is illegal due to * then replace * with "" final int ind = wlUrlStr.lastIndexOf(":"); - if (e.getCause() instanceof NumberFormatException && Objects.equals(wlUrlStr.substring(ind + 1, wlUrlStr.length()), WILDCARD)) { + if (e.getCause() instanceof NumberFormatException && Objects.equals(wlUrlStr.substring(ind + 1), WILDCARD)) { return wlUrlStr.substring(0, ind); } throw e; @@ -159,34 +115,13 @@ private static String validateWhitelistUrlPort(final String wlUrlStr) throws Mal return wlUrlStr; } - // IP Address => all digits, 4 parts, *, - - private static boolean isIP(final String wlUrlStr) { - final boolean hasValidChars = wlUrlStr.replace(HOST_PART_SEP.charAt(0), '0').chars().allMatch(c -> Character.isDigit(c) || c == WILDCARD.charAt(0) || c == '-'); - final String[] ipParts = wlUrlStr.split(HOST_PART_REGEX); - return hasValidChars && ipParts.length == 4; - } - - private static void validateIPPart(final String ipPart) throws Exception { - if (ipPart.contains(WILDCARD) || ipPart.contains("-")) { - throw new Exception(R("SWPINVALIDIPHOST")); - } - try { - final int ipPartInt = Integer.parseInt(ipPart); - if (ipPartInt < 0 || ipPartInt > 255) { - throw new Exception(R("SWPINVALIDIPHOST")); - } - } catch (NumberFormatException nfe) { - throw new Exception(R("SWPINVALIDIPHOST")); - } - } - - private static void validateWhitelistUrlHost(final String wlUrlStr) throws Exception { + private static URL validateWhitelistUrlHost(final String wlUrlStr) throws Exception { final URL wlURL = new URL(wlUrlStr); final String hostStr = wlURL.getHost(); // Whitelist Host is * if (Objects.equals(hostStr, WILDCARD)) { - return; + return wlURL; } final boolean isIPHost = isIP(hostStr); @@ -201,53 +136,28 @@ private static void validateWhitelistUrlHost(final String wlUrlStr) throws Excep } } } - } - static WhitelistEntry validateWhitelistUrl(final String wlUrlStr) { - Assert.requireNonNull(wlUrlStr, "wlUrlStr"); - try { - final String validatedWLUrlProtocol = validateWhitelistUrlProtocol(wlUrlStr); - final String validatedWLUrlStr = validateWhitelistUrlPort(validatedWLUrlProtocol); - validateWhitelistUrlHost(validatedWLUrlStr); - return WhitelistEntry.validWhitelistEntry(wlUrlStr, validatedWLUrlStr); - } catch (Exception e) { - return WhitelistEntry.invalidWhitelistentry(wlUrlStr, e.getMessage()); - } + return wlURL; } - public static class WhitelistEntry { - private final String whitelistEntry; - private final String validatedWhitelistEntry; - private final String errorMessage; - - public String getWhitelistEntry() { - return whitelistEntry; - } - - public String getValidatedWhitelistEntry() { - return validatedWhitelistEntry; - } - - public String getErrorMessage() { - return errorMessage; - } - - private WhitelistEntry(final String whitelistEntry, final String validatedWhitelistEntry, final String errorMessage) { - this.whitelistEntry = whitelistEntry; - this.validatedWhitelistEntry = validatedWhitelistEntry; - this.errorMessage = errorMessage; - } - - public boolean isValid() { - return errorMessage == null; - } + // IP Address => all digits, 4 parts, *, - + private static boolean isIP(final String wlUrlStr) { + final boolean hasValidChars = wlUrlStr.replace(HOST_PART_SEP.charAt(0), '0').chars().allMatch(c -> Character.isDigit(c) || c == WILDCARD.charAt(0) || c == '-'); + final String[] ipParts = wlUrlStr.split(HOST_PART_REGEX); + return hasValidChars && ipParts.length == 4; + } - public static WhitelistEntry validWhitelistEntry(final String wlEntry, final String validatedEntry) { - return new WhitelistEntry(wlEntry, validatedEntry, null); + private static void validateIPPart(final String ipPart) throws Exception { + if (ipPart.contains(WILDCARD) || ipPart.contains("-")) { + throw new Exception(R("SWPINVALIDIPHOST")); } - - public static WhitelistEntry invalidWhitelistentry(final String wlEntry, final String errorMessage) { - return new WhitelistEntry(wlEntry, null, errorMessage); + try { + final int ipPartInt = Integer.parseInt(ipPart); + if (ipPartInt < 0 || ipPartInt > 255) { + throw new Exception(R("SWPINVALIDIPHOST")); + } + } catch (NumberFormatException nfe) { + throw new Exception(R("SWPINVALIDIPHOST")); } } } diff --git a/core/src/main/java/net/sourceforge/jnlp/util/whitelist/WhitelistEntry.java b/core/src/main/java/net/sourceforge/jnlp/util/whitelist/WhitelistEntry.java new file mode 100644 index 000000000..f2a7b2989 --- /dev/null +++ b/core/src/main/java/net/sourceforge/jnlp/util/whitelist/WhitelistEntry.java @@ -0,0 +1,99 @@ +package net.sourceforge.jnlp.util.whitelist; + +import net.adoptopenjdk.icedteaweb.Assert; + +import java.net.URL; +import java.util.Objects; +import java.util.Optional; + +/** + * ... + */ +public class WhitelistEntry { + private static final String WILDCARD = "*"; + private static final String HOST_PART_REGEX = "\\."; + + private final String rawWhitelistEntry; + private final URL effectiveWhitelistEntry; + private final String errorMessage; + + static WhitelistEntry validWhitelistEntry(final String wlEntry, URL effectiveWhitelistEntry) { + Assert.requireNonNull(wlEntry, "wlEntry"); + Assert.requireNonNull(effectiveWhitelistEntry, "effectiveWhitelistEntry"); + return new WhitelistEntry(wlEntry, effectiveWhitelistEntry, null); + } + + static WhitelistEntry invalidWhitelistEntry(final String wlEntry, final String errorMessage) { + Assert.requireNonNull(wlEntry, "wlEntry"); + Assert.requireNonNull(errorMessage, "errorMessage"); + return new WhitelistEntry(wlEntry, null, errorMessage); + } + + private WhitelistEntry(final String rawWhitelistEntry, final URL effectiveWhitelistEntry, final String errorMessage) { + this.rawWhitelistEntry = rawWhitelistEntry; + this.effectiveWhitelistEntry = effectiveWhitelistEntry; + this.errorMessage = errorMessage; + } + + public String getRawWhitelistEntry() { + return rawWhitelistEntry; + } + + public String getEffectiveWhitelistEntry() { + return Optional.ofNullable(effectiveWhitelistEntry).map(Objects::toString).orElse(null); + } + + public String getErrorMessage() { + return errorMessage; + } + + public boolean isValid() { + return errorMessage == null; + } + + public boolean matches(URL url) { + Assert.requireNonNull(url, "url"); + + if (isValid()) { // ignore invalid whitelist entries + return isUrlProtocolMatching(effectiveWhitelistEntry, url) && isUrlHostMatching(effectiveWhitelistEntry, url) && isUrlPortMatching(effectiveWhitelistEntry, url); + } else { + return false; + } + } + private static boolean isUrlProtocolMatching(URL url1, URL url2) { + return Objects.equals(url1.getProtocol(), url2.getProtocol()); + } + + private static boolean isUrlHostMatching(URL wlUrl, URL url) { + // proto://*:port + if (Objects.equals(wlUrl.getHost(), WILDCARD)) { + return true; + } + + final String[] wlUrlHostParts = wlUrl.getHost().split(HOST_PART_REGEX); + final String[] urlHostParts = url.getHost().split(HOST_PART_REGEX); + + if (wlUrlHostParts.length != urlHostParts.length) { + return false; + } + + boolean result = true; + for (int i = 0; i < wlUrlHostParts.length; i++) { + // hostparts are equal if whitelist url has * or they are same + result = result && (Objects.equals(wlUrlHostParts[i], WILDCARD) || Objects.equals(wlUrlHostParts[i], urlHostParts[i])); + } + return result; + } + + private static boolean isUrlPortMatching(URL wlUrl, URL url) { + if (wlUrl.getPort() != -1) { + // url does not have port then force default port as we do the same for whitelist url + if (url.getPort() == -1) { + return wlUrl.getPort() == url.getDefaultPort(); + } else { + return wlUrl.getPort() == url.getPort(); + } + } + return true; + } +} diff --git a/core/src/test/java/net/sourceforge/jnlp/util/UrlWhiteListUtilsTest.java b/core/src/test/java/net/sourceforge/jnlp/util/UrlWhiteListUtilsTest.java deleted file mode 100644 index 06ef8e624..000000000 --- a/core/src/test/java/net/sourceforge/jnlp/util/UrlWhiteListUtilsTest.java +++ /dev/null @@ -1,261 +0,0 @@ -package net.sourceforge.jnlp.util; - -import net.adoptopenjdk.icedteaweb.StringUtils; -import org.junit.Assert; -import org.junit.Test; - -import java.net.MalformedURLException; -import java.net.URL; -import java.util.Arrays; -import java.util.List; -import java.util.stream.Collectors; - -public class UrlWhiteListUtilsTest { - - @Test - public void validateWhitelistUrlString() { - Assert.assertEquals("http://subdomain.domain.com:8888", UrlWhiteListUtils.validateWhitelistUrl("http://subdomain.domain.com:8888").getValidatedWhitelistEntry()); - Assert.assertEquals("https://subdomain.domain.com:9999", UrlWhiteListUtils.validateWhitelistUrl("https://subdomain.domain.com:9999").getValidatedWhitelistEntry()); - Assert.assertEquals("https://123.134.145.156:9999", UrlWhiteListUtils.validateWhitelistUrl("https://123.134.145.156:9999").getValidatedWhitelistEntry()); - Assert.assertEquals("http://123.134.145.156:8888", UrlWhiteListUtils.validateWhitelistUrl("http://123.134.145.156:8888").getValidatedWhitelistEntry()); - - Assert.assertEquals("https://domain.com:443", UrlWhiteListUtils.validateWhitelistUrl("domain.com").getValidatedWhitelistEntry()); - Assert.assertEquals("https://*.domain.com:443", UrlWhiteListUtils.validateWhitelistUrl("*.domain.com").getValidatedWhitelistEntry()); - Assert.assertEquals("https://123.134.145.156:443", UrlWhiteListUtils.validateWhitelistUrl("123.134.145.156:443").getValidatedWhitelistEntry()); - - Assert.assertEquals("http://subdomain.domain.com:80", UrlWhiteListUtils.validateWhitelistUrl("http://subdomain.domain.com").getValidatedWhitelistEntry()); - Assert.assertEquals("http://subdomain.domain.com:80", UrlWhiteListUtils.validateWhitelistUrl("http://subdomain.domain.com/abc/efg").getValidatedWhitelistEntry()); - Assert.assertEquals("https://subdomain.domain.com:443", UrlWhiteListUtils.validateWhitelistUrl("https://subdomain.domain.com").getValidatedWhitelistEntry()); - Assert.assertEquals("https://subdomain.domain.com:443", UrlWhiteListUtils.validateWhitelistUrl("https://subdomain.domain.com/abc/efg").getValidatedWhitelistEntry()); - Assert.assertEquals("https://123.134.145.156:443", UrlWhiteListUtils.validateWhitelistUrl("https://123.134.145.156").getValidatedWhitelistEntry()); - - Assert.assertEquals("http://subdomain.domain.com", UrlWhiteListUtils.validateWhitelistUrl("http://subdomain.domain.com:*").getValidatedWhitelistEntry()); - Assert.assertEquals("https://subdomain.domain.com", UrlWhiteListUtils.validateWhitelistUrl("https://subdomain.domain.com:*").getValidatedWhitelistEntry()); - Assert.assertEquals("https://123.134.145.156", UrlWhiteListUtils.validateWhitelistUrl("https://123.134.145.156:*").getValidatedWhitelistEntry()); - - Assert.assertEquals("https://*:443", UrlWhiteListUtils.validateWhitelistUrl("*").getValidatedWhitelistEntry()); - Assert.assertEquals("http://*:80", UrlWhiteListUtils.validateWhitelistUrl("http://*:80").getValidatedWhitelistEntry()); - Assert.assertEquals("https://*:443", UrlWhiteListUtils.validateWhitelistUrl("https://*:443").getValidatedWhitelistEntry()); - - Assert.assertEquals("http://*", UrlWhiteListUtils.validateWhitelistUrl("http://*:*").getValidatedWhitelistEntry()); - Assert.assertEquals("https://*", UrlWhiteListUtils.validateWhitelistUrl("https://*:*").getValidatedWhitelistEntry()); - } - - @Test - public void validateIllegalWhitelistUrlString() throws MalformedURLException { - Assert.assertFalse(UrlWhiteListUtils.validateWhitelistUrl("https://subdomain.domain.com:1*").isValid()); - Assert.assertFalse(UrlWhiteListUtils.validateWhitelistUrl("https://*jvms.domain.com:443").isValid()); - Assert.assertFalse(UrlWhiteListUtils.validateWhitelistUrl("https://jvms.*.com:443").isValid()); - Assert.assertFalse(UrlWhiteListUtils.validateWhitelistUrl("https://xyz.dom*.com:443").isValid()); - Assert.assertFalse(UrlWhiteListUtils.validateWhitelistUrl("*.domain.com:ABC").isValid()); - Assert.assertFalse(UrlWhiteListUtils.validateWhitelistUrl("//*.domain.com:123").isValid()); - Assert.assertFalse(UrlWhiteListUtils.validateWhitelistUrl(":*.domain.com:123").isValid()); - Assert.assertFalse(UrlWhiteListUtils.validateWhitelistUrl("://*.domain.com:123").isValid()); - Assert.assertFalse(UrlWhiteListUtils.validateWhitelistUrl(":/*.domain.com:123").isValid()); - Assert.assertFalse(UrlWhiteListUtils.validateWhitelistUrl("/*.domain.com:123").isValid()); - // Seem illegal but are valid - Assert.assertTrue(UrlWhiteListUtils.validateWhitelistUrl("123.domain.com:123").isValid()); - Assert.assertTrue(UrlWhiteListUtils.validateWhitelistUrl("123.123.123:123").isValid()); - Assert.assertTrue(UrlWhiteListUtils.validateWhitelistUrl("-123.domain.com:123").isValid()); - } - - @Test - public void validateIllegalWhitelistIPUrlString() throws MalformedURLException { - Assert.assertFalse(UrlWhiteListUtils.validateWhitelistUrl("https://123.*.156.145").getErrorMessage().isEmpty()); - Assert.assertFalse(UrlWhiteListUtils.validateWhitelistUrl("https://123.1*.0.156").getErrorMessage().isEmpty()); - Assert.assertFalse(UrlWhiteListUtils.validateWhitelistUrl("https://123.134.145.-1").getErrorMessage().isEmpty()); - Assert.assertFalse(UrlWhiteListUtils.validateWhitelistUrl("https://256.134.145.255").getErrorMessage().isEmpty()); - } - - @Test - public void urlInWhiteList() throws Exception { - List wildcardWhiteList = Arrays.asList(new String[]{ - "https://rfy.m-b.com", - "https://*.m-b.com", - "https://rfy.*.com", - "https://rfy.m-b.*", - "https://*.*.*:446", - "https://*:447", - "https://*.mydomain.com", - "http://*.mydomain.com", - "*.cintra.net", - "*.dmlr.com"}); - - List wList = getValidatedWhitelist(wildcardWhiteList); - - // "https://rfry.m-b.com" - URL url = new URL("https://rfy.m-b.com:443/some_URL"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); //+ " https://rfy.m-b.com:443/some_URL"); - - // "https://rfy.m-b.com:443" - url = new URL("https://rfy.m-b.com:445/some_URL"); - Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy.m-b.com:445/some_URL"); - - // "https://*.m-b.com" - url = new URL("https://rfyA.m-b.com:443/some_URL"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy1.m-b.com:443/some_URL"); - - // "https://rfy.*.com" - url = new URL("https://rfy.m-b1.com:443/some_URL"); - Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy.m-b1.com:443/some_URL"); - - // "https://*.m-b.com" - url = new URL("https://rfy.m-b.org:443/some_URL"); - Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy.m-b.org:443/some_URL"); - - url = new URL("https://rfy.m-b.com:443/some_URL"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy.m-b.org:443/some_URL"); - - // "https://*.*.*:446" - url = new URL("https://rfy1.m-b1.org:446/some_URL"); - Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy1.m-b1.org:446/some_URL"); - - // "https://*:447" - url = new URL("https://rfy1.m-b1.org:447/some_URL"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy1.m-b1.org:446/some_URL"); - - // "https://*:446" - url = new URL("https://rfy1.m-b1.com:445/some_URL"); - Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy1.m-b1.com:445/some_URL"); - - // "https://*.mydomain.com" - url = new URL("https://abc.mydomain.com:443/some_URL"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy1.m-b1.org:446/some_URL"); - - // "https://*.mydomain.com" - url = new URL("https://abc.mydomain.com:444/some_URL"); - Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy1.m-b1.org:446/some_URL"); - - // "http://*.mydomain.com" - url = new URL("http://abc.mydomain.com:80/some_URL"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy1.m-b1.org:446/some_URL"); - - // "http://*.mydomain.com" - url = new URL("http://abc.mydomain.com:81/some_URL"); - Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy1.m-b1.org:446/some_URL"); - - // "*.cintra.net" - url = new URL("https://abc.cintra.net:443/some_URL"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy1.m-b1.org:446/some_URL"); - - url = new URL("http://abc.cintra.net:443/some_URL"); - Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy1.m-b1.org:446/some_URL"); - - // "*.dmlr.com" - url = new URL("https://abc.dmlr.com:443/some_URL"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy1.m-b1.org:446/some_URL"); - - // "*.dmlr.com" - url = new URL("https://abc.dmlr.com:44/some_URL"); - Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); // + " https://rfy1.m-b1.org:446/some_URL"); - } - - @Test - public void demoUrlInWhiteList() throws Exception { - List wildcardWhiteList = Arrays.asList(new String[]{ - "docs.oracle.com", - "*.oracle.org", - "docs.*.net", - }); - - List wList = getValidatedWhitelist(wildcardWhiteList); - - URL url = new URL("https://docs.oracle.com/j2se/tutorial"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("https://any.oracle.org:443/j2se/tutorial"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("https://any.one.oracle.org:443/j2se/tutorial"); - Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("https://any.net:443/j2se/tutorial"); - Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("https://docs.any.net:443/j2se/tutorial"); - Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - } - - @Test - public void ipUrlInWhiteList() throws Exception { - List wildcardWhiteList = Arrays.asList(new String[]{ - "123.134.145.156", - "123.134.145.156:167", - "*.134.145.156:167", - "http://124.134.145.156", - "http://125.134.145.157:*", - "https://123.134.145.156", - "https://126.134.145.156:333", - "http://124.134.145.156:333", - "http://124.134.145.156:335/abc/efg", - }); - - List wList = getValidatedWhitelist(wildcardWhiteList); - - URL url = new URL("https://123.134.145.156/tutorial"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("https://123.134.145.156:443/tutorial"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("https://124.134.145.156:443"); - Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("http://124.134.145.156/tutorial"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("http://124.134.145.156:80/tutorial"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("http://125.134.145.157:90/tutorial"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("https://123.134.145.156:167/j2se/tutorial"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("http://124.134.145.156:333/j2se/tutorial"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("http://124.134.145.158:333/j2se/tutorial"); - Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("https://126.134.145.156:333/j2se/tutorial"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("http://124.134.145.156:335/abc/efg"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("http://124.134.145.156:336/abcd/efg"); - Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - } - - @Test - public void wildCard() throws Exception { - List wildcardWhiteList = Arrays.asList(new String[]{ - "*", - "http://*" - }); - - List wList = getValidatedWhitelist(wildcardWhiteList); - - URL url = new URL("https://123.134.145.156/tutorial"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("https://abc.efg.com/tutorial"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("http://abc.com/tutorial"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - - url = new URL("http://123.134.145.156:80/tutorial"); - Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList, true)); - } - - private static List getValidatedWhitelist(List wildcardWhiteList) { - return wildcardWhiteList - .stream() - .filter(s -> !StringUtils.isBlank(s)) - .map(s -> UrlWhiteListUtils.validateWhitelistUrl(s)) - .collect(Collectors.toList()); - } -} \ No newline at end of file diff --git a/core/src/test/java/net/sourceforge/jnlp/util/whitelist/UrlWhiteListUtilsTest.java b/core/src/test/java/net/sourceforge/jnlp/util/whitelist/UrlWhiteListUtilsTest.java new file mode 100644 index 000000000..e886cf7f6 --- /dev/null +++ b/core/src/test/java/net/sourceforge/jnlp/util/whitelist/UrlWhiteListUtilsTest.java @@ -0,0 +1,264 @@ +package net.sourceforge.jnlp.util.whitelist; + +import net.adoptopenjdk.icedteaweb.StringUtils; +import org.junit.Assert; +import org.junit.Test; + +import java.net.URL; +import java.util.List; +import java.util.stream.Collectors; +import java.util.stream.Stream; + +public class UrlWhiteListUtilsTest { + + @Test + public void validateWhitelistUrlString() { + assertEffectiveUrl("http://subdomain.domain.com:8888", "http://subdomain.domain.com:8888"); + assertEffectiveUrl("https://subdomain.domain.com:9999", "https://subdomain.domain.com:9999"); + assertEffectiveUrl("https://123.134.145.156:9999", "https://123.134.145.156:9999"); + assertEffectiveUrl("http://123.134.145.156:8888", "http://123.134.145.156:8888"); + + assertEffectiveUrl("https://domain.com:443", "domain.com"); + assertEffectiveUrl("https://*.domain.com:443", "*.domain.com"); + assertEffectiveUrl("https://123.134.145.156:443", "123.134.145.156:443"); + + assertEffectiveUrl("http://subdomain.domain.com:80", "http://subdomain.domain.com"); + assertEffectiveUrl("http://subdomain.domain.com:80", "http://subdomain.domain.com/abc/efg"); + assertEffectiveUrl("https://subdomain.domain.com:443", "https://subdomain.domain.com"); + assertEffectiveUrl("https://subdomain.domain.com:443", "https://subdomain.domain.com/abc/efg"); + assertEffectiveUrl("https://123.134.145.156:443", "https://123.134.145.156"); + + assertEffectiveUrl("http://subdomain.domain.com", "http://subdomain.domain.com:*"); + assertEffectiveUrl("https://subdomain.domain.com", "https://subdomain.domain.com:*"); + assertEffectiveUrl("https://123.134.145.156", "https://123.134.145.156:*"); + + assertEffectiveUrl("https://*:443", "*"); + assertEffectiveUrl("http://*:80", "http://*:80"); + assertEffectiveUrl("https://*:443", "https://*:443"); + + assertEffectiveUrl("http://*", "http://*:*"); + assertEffectiveUrl("https://*", "https://*:*"); + } + + private void assertEffectiveUrl(String expected, String wlUrlStr) { + Assert.assertEquals(expected, UrlWhiteListUtils.validateWhitelistUrl(wlUrlStr).getEffectiveWhitelistEntry()); + } + + @Test + public void validateIllegalWhitelistUrlString() { + assertInvalidWhitelistEntry("https://subdomain.domain.com:1*"); + assertInvalidWhitelistEntry("https://*jvms.domain.com:443"); + assertInvalidWhitelistEntry("https://jvms.*.com:443"); + assertInvalidWhitelistEntry("https://xyz.dom*.com:443"); + assertInvalidWhitelistEntry("*.domain.com:ABC"); + assertInvalidWhitelistEntry("//*.domain.com:123"); + assertInvalidWhitelistEntry(":*.domain.com:123"); + assertInvalidWhitelistEntry("://*.domain.com:123"); + assertInvalidWhitelistEntry(":/*.domain.com:123"); + assertInvalidWhitelistEntry("/*.domain.com:123"); + // Seem illegal but are valid + assertValidWhitelistEntry("123.domain.com:123"); + assertValidWhitelistEntry("123.123.123:123"); + assertValidWhitelistEntry("-123.domain.com:123"); + } + + @Test + public void validateIllegalWhitelistIPUrlString() { + assertInvalidWhitelistEntry("https://123.*.156.145"); + assertInvalidWhitelistEntry("https://123.1*.0.156"); + assertInvalidWhitelistEntry("https://123.134.145.-1"); + assertInvalidWhitelistEntry("https://256.134.145.255"); + } + + private void assertInvalidWhitelistEntry(String wlUrlStr) { + Assert.assertFalse(UrlWhiteListUtils.validateWhitelistUrl(wlUrlStr).isValid()); + } + + private void assertValidWhitelistEntry(String wlUrlStr) { + Assert.assertTrue(UrlWhiteListUtils.validateWhitelistUrl(wlUrlStr).isValid()); + } + + @Test + public void urlInWhiteList() throws Exception { + List wList = getValidatedWhitelist( + "https://rfy.m-b.com", + "https://*.m-b.com", + "https://rfy.*.com", + "https://rfy.m-b.*", + "https://*.*.*:446", + "https://*:447", + "https://*.mydomain.com", + "http://*.mydomain.com", + "*.cintra.net", + "*.dmlr.com" + ); + + // "https://rfry.m-b.com" + URL url = new URL("https://rfy.m-b.com:443/some_URL"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); //+ " https://rfy.m-b.com:443/some_URL"); + + // "https://rfy.m-b.com:443" + url = new URL("https://rfy.m-b.com:445/some_URL"); + Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy.m-b.com:445/some_URL"); + + // "https://*.m-b.com" + url = new URL("https://rfyA.m-b.com:443/some_URL"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy1.m-b.com:443/some_URL"); + + // "https://rfy.*.com" + url = new URL("https://rfy.m-b1.com:443/some_URL"); + Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy.m-b1.com:443/some_URL"); + + // "https://*.m-b.com" + url = new URL("https://rfy.m-b.org:443/some_URL"); + Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy.m-b.org:443/some_URL"); + + url = new URL("https://rfy.m-b.com:443/some_URL"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy.m-b.org:443/some_URL"); + + // "https://*.*.*:446" + url = new URL("https://rfy1.m-b1.org:446/some_URL"); + Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy1.m-b1.org:446/some_URL"); + + // "https://*:447" + url = new URL("https://rfy1.m-b1.org:447/some_URL"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy1.m-b1.org:446/some_URL"); + + // "https://*:446" + url = new URL("https://rfy1.m-b1.com:445/some_URL"); + Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy1.m-b1.com:445/some_URL"); + + // "https://*.mydomain.com" + url = new URL("https://abc.mydomain.com:443/some_URL"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy1.m-b1.org:446/some_URL"); + + // "https://*.mydomain.com" + url = new URL("https://abc.mydomain.com:444/some_URL"); + Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy1.m-b1.org:446/some_URL"); + + // "http://*.mydomain.com" + url = new URL("http://abc.mydomain.com:80/some_URL"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy1.m-b1.org:446/some_URL"); + + // "http://*.mydomain.com" + url = new URL("http://abc.mydomain.com:81/some_URL"); + Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy1.m-b1.org:446/some_URL"); + + // "*.cintra.net" + url = new URL("https://abc.cintra.net:443/some_URL"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy1.m-b1.org:446/some_URL"); + + url = new URL("http://abc.cintra.net:443/some_URL"); + Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy1.m-b1.org:446/some_URL"); + + // "*.dmlr.com" + url = new URL("https://abc.dmlr.com:443/some_URL"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy1.m-b1.org:446/some_URL"); + + // "*.dmlr.com" + url = new URL("https://abc.dmlr.com:44/some_URL"); + Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); // + " https://rfy1.m-b1.org:446/some_URL"); + } + + @Test + public void demoUrlInWhiteList() throws Exception { + List wList = getValidatedWhitelist( + "docs.oracle.com", + "*.oracle.org", + "docs.*.net" + ); + + URL url = new URL("https://docs.oracle.com/j2se/tutorial"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("https://any.oracle.org:443/j2se/tutorial"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("https://any.one.oracle.org:443/j2se/tutorial"); + Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("https://any.net:443/j2se/tutorial"); + Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("https://docs.any.net:443/j2se/tutorial"); + Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + } + + @Test + public void ipUrlInWhiteList() throws Exception { + List wList = getValidatedWhitelist( + "123.134.145.156", + "123.134.145.156:167", + "*.134.145.156:167", + "http://124.134.145.156", + "http://125.134.145.157:*", + "https://123.134.145.156", + "https://126.134.145.156:333", + "http://124.134.145.156:333", + "http://124.134.145.156:335/abc/efg" + ); + + URL url = new URL("https://123.134.145.156/tutorial"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("https://123.134.145.156:443/tutorial"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("https://124.134.145.156:443"); + Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("http://124.134.145.156/tutorial"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("http://124.134.145.156:80/tutorial"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("http://125.134.145.157:90/tutorial"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("https://123.134.145.156:167/j2se/tutorial"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("http://124.134.145.156:333/j2se/tutorial"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("http://124.134.145.158:333/j2se/tutorial"); + Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("https://126.134.145.156:333/j2se/tutorial"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("http://124.134.145.156:335/abc/efg"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("http://124.134.145.156:336/abcd/efg"); + Assert.assertFalse(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + } + + @Test + public void wildCard() throws Exception { + List wList = getValidatedWhitelist( + "*", + "http://*" + ); + + URL url = new URL("https://123.134.145.156/tutorial"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("https://abc.efg.com/tutorial"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("http://abc.com/tutorial"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + + url = new URL("http://123.134.145.156:80/tutorial"); + Assert.assertTrue(UrlWhiteListUtils.isUrlInWhitelist(url, wList)); + } + + private static List getValidatedWhitelist(String... wildcardWhiteList) { + return Stream.of(wildcardWhiteList) + .filter(s -> !StringUtils.isBlank(s)) + .map(UrlWhiteListUtils::validateWhitelistUrl) + .collect(Collectors.toList()); + } +}