From a2a3f8f5153a7b7ec55cfb879c63f3e015af9b56 Mon Sep 17 00:00:00 2001 From: Sergey Beryozkin Date: Tue, 8 Mar 2022 14:28:24 +0000 Subject: [PATCH] Check FormAuthentication location cookie --- .../security/FormAuthParametersTestCase.java | 18 +++++++++++++++++- .../security/FormAuthenticationMechanism.java | 13 +++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/FormAuthParametersTestCase.java b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/FormAuthParametersTestCase.java index d557dbcea03c66..6a77b56e8ca664 100644 --- a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/FormAuthParametersTestCase.java +++ b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/FormAuthParametersTestCase.java @@ -116,7 +116,7 @@ public void testFormBasedAuthSuccessLandingPage() { } @Test - public void testFormAuthFailure() { + public void testFormAuthFailureWrongPassword() { CookieFilter cookies = new CookieFilter(); RestAssured .given() @@ -132,4 +132,20 @@ public void testFormAuthFailure() { .header("location", containsString("/error")); } + + @Test + public void testFormAuthFailureWrongRedirect() { + CookieFilter cookies = new CookieFilter(); + RestAssured + .given() + .filter(cookies) + .when() + .cookies("redirect-location", "http://localhost") + .formParam("username", "admin") + .formParam("password", "admin") + .post("/auth") + .then() + .assertThat() + .statusCode(401); + } } diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/FormAuthenticationMechanism.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/FormAuthenticationMechanism.java index c49a17dbfd8bd4..aea3cb10c210ae 100644 --- a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/FormAuthenticationMechanism.java +++ b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/FormAuthenticationMechanism.java @@ -1,5 +1,6 @@ package io.quarkus.vertx.http.runtime.security; +import java.net.URI; import java.util.Arrays; import java.util.HashSet; import java.util.Optional; @@ -9,6 +10,7 @@ import org.jboss.logging.Logger; import io.netty.handler.codec.http.HttpHeaderNames; +import io.quarkus.security.AuthenticationCompletionException; import io.quarkus.security.credential.PasswordCredential; import io.quarkus.security.identity.IdentityProviderManager; import io.quarkus.security.identity.SecurityIdentity; @@ -118,6 +120,7 @@ protected void handleRedirectBack(final RoutingContext exchange) { Cookie redirect = exchange.getCookie(locationCookie); String location; if (redirect != null) { + verifyRedirectBackLocation(exchange.request().absoluteURI(), redirect.getValue()); redirect.setSecure(exchange.request().isSSL()); location = redirect.getValue(); exchange.response().addCookie(redirect.setMaxAge(0)); @@ -129,6 +132,16 @@ protected void handleRedirectBack(final RoutingContext exchange) { exchange.response().end(); } + protected void verifyRedirectBackLocation(String requestURIString, String redirectUriString) { + URI requestUri = URI.create(requestURIString); + URI redirectUri = URI.create(redirectUriString); + if (!requestUri.getAuthority().equals(redirectUri.getAuthority()) || requestUri.getScheme() != redirectUri.getScheme()) { + log.errorf("Location cookie value %s does not match the current request URI %s's scheme, host or port", redirectUriString, + requestURIString); + throw new AuthenticationCompletionException(); + } + } + protected void storeInitialLocation(final RoutingContext exchange) { exchange.response().addCookie(Cookie.cookie(locationCookie, exchange.request().absoluteURI()) .setPath("/").setSecure(exchange.request().isSSL()));