From 210bb87b389f21411b2153f28c126f1a0d8f122c Mon Sep 17 00:00:00 2001 From: Sergey Beryozkin Date: Tue, 8 Mar 2022 14:28:24 +0000 Subject: [PATCH] Check FormAuthentication location cookie (cherry picked from commit 2db0a755481b031f307aca01185013b4e9f304fb) --- .../security/FormAuthParametersTestCase.java | 18 +++++++++++++++++- .../security/FormAuthenticationMechanism.java | 15 +++++++++++++++ 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/FormAuthParametersTestCase.java b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/FormAuthParametersTestCase.java index d557dbcea03c6..6a77b56e8ca66 100644 --- a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/FormAuthParametersTestCase.java +++ b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/security/FormAuthParametersTestCase.java @@ -116,7 +116,7 @@ public void testFormBasedAuthSuccessLandingPage() { } @Test - public void testFormAuthFailure() { + public void testFormAuthFailureWrongPassword() { CookieFilter cookies = new CookieFilter(); RestAssured .given() @@ -132,4 +132,20 @@ public void testFormAuthFailure() { .header("location", containsString("/error")); } + + @Test + public void testFormAuthFailureWrongRedirect() { + CookieFilter cookies = new CookieFilter(); + RestAssured + .given() + .filter(cookies) + .when() + .cookies("redirect-location", "http://localhost") + .formParam("username", "admin") + .formParam("password", "admin") + .post("/auth") + .then() + .assertThat() + .statusCode(401); + } } diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/FormAuthenticationMechanism.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/FormAuthenticationMechanism.java index e69482a8f6693..02e34f5cad017 100644 --- a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/FormAuthenticationMechanism.java +++ b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/FormAuthenticationMechanism.java @@ -1,5 +1,6 @@ package io.quarkus.vertx.http.runtime.security; +import java.net.URI; import java.util.Arrays; import java.util.HashSet; import java.util.Optional; @@ -9,6 +10,7 @@ import org.jboss.logging.Logger; import io.netty.handler.codec.http.HttpHeaderNames; +import io.quarkus.security.AuthenticationCompletionException; import io.quarkus.security.credential.PasswordCredential; import io.quarkus.security.identity.IdentityProviderManager; import io.quarkus.security.identity.SecurityIdentity; @@ -118,6 +120,7 @@ protected void handleRedirectBack(final RoutingContext exchange) { Cookie redirect = exchange.getCookie(locationCookie); String location; if (redirect != null) { + verifyRedirectBackLocation(exchange.request().absoluteURI(), redirect.getValue()); redirect.setSecure(exchange.request().isSSL()); location = redirect.getValue(); exchange.response().addCookie(redirect.setMaxAge(0)); @@ -129,6 +132,18 @@ protected void handleRedirectBack(final RoutingContext exchange) { exchange.response().end(); } + protected void verifyRedirectBackLocation(String requestURIString, String redirectUriString) { + URI requestUri = URI.create(requestURIString); + URI redirectUri = URI.create(redirectUriString); + if (!requestUri.getAuthority().equals(redirectUri.getAuthority()) + || !requestUri.getScheme().equals(redirectUri.getScheme())) { + log.errorf("Location cookie value %s does not match the current request URI %s's scheme, host or port", + redirectUriString, + requestURIString); + throw new AuthenticationCompletionException(); + } + } + protected void storeInitialLocation(final RoutingContext exchange) { exchange.response().addCookie(Cookie.cookie(locationCookie, exchange.request().absoluteURI()) .setPath("/").setSecure(exchange.request().isSSL()));