All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.jackrabbit.webdav.util.CSRFUtil Maven / Gradle / Ivy

There is a newer version: 2.23.1-beta
Show newest version
/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.jackrabbit.webdav.util;

import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Locale;
import java.util.Set;

import javax.servlet.http.HttpServletRequest;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * CSRFUtil...
 */
public class CSRFUtil {

    /**
     * Constant used to
     */
    public static final String DISABLED = "disabled";

    /**
     * Request content types for CSRF checking, see JCR-3909, JCR-4002, and JCR-4009
     */
    public static final Set CONTENT_TYPES = Collections.unmodifiableSet(new HashSet(
            Arrays.asList(
                    new String[] {
                            "application/x-www-form-urlencoded",
                            "multipart/form-data",
                            "text/plain"
                    }
            )
    ));

    /**
     * logger instance
     */
    private static final Logger log = LoggerFactory.getLogger(CSRFUtil.class);

    /**
     * Disable referrer based CSRF protection
     */
    private final boolean disabled;

    /**
     * Additional allowed referrer hosts for CSRF protection
     */
    private final Set allowedReferrerHosts;

    /**
     * Creates a new instance from the specified configuration, which defines
     * the behaviour of the referrer based CSRF protection as follows:
     * 
    *
  1. If config is null or empty string the default * behaviour is to allow only requests with an empty referrer header or a * referrer host equal to the server host
  2. *
  3. A comma separated list of additional allowed referrer hosts which are * valid in addition to default behaviour (see above).
  4. *
  5. The value {@link #DISABLED} may be used to disable the referrer checking altogether
  6. *
* * @param config The configuration value which may be any of the following: *
    *
  • null or empty string for the default behaviour, which * only allows requests with an empty referrer header or a * referrer host equal to the server host
  • *
  • A comma separated list of additional allowed referrer hosts which are * valid in addition to default behaviour (see above).
  • *
  • {@link #DISABLED} in order to disable the referrer checking altogether
  • *
*/ public CSRFUtil(String config) { if (config == null || config.length() == 0) { disabled = false; allowedReferrerHosts = Collections.emptySet(); log.debug("CSRF protection disabled"); } else { if (DISABLED.equalsIgnoreCase(config.trim())) { disabled = true; allowedReferrerHosts = Collections.emptySet(); } else { disabled = false; String[] allowed = config.split(","); allowedReferrerHosts = new HashSet(allowed.length); for (String entry : allowed) { allowedReferrerHosts.add(entry.trim()); } } log.debug("CSRF protection enabled, allowed referrers: " + allowedReferrerHosts); } } public boolean isValidRequest(HttpServletRequest request) { if (disabled) { return true; } else if (!"POST".equals(request.getMethod())) { // protection only needed for POST return true; } else { Enumeration cts = (Enumeration) request.getHeaders("Content-Type"); String ct = null; if (cts != null && cts.hasMoreElements()) { String t = cts.nextElement(); // prune parameters int semicolon = t.indexOf(';'); if (semicolon >= 0) { t = t.substring(0, semicolon); } ct = t.trim().toLowerCase(Locale.ENGLISH); } if (cts != null && cts.hasMoreElements()) { // reject if there are more header field instances log.debug("request blocked because there were multiple content-type header fields"); return false; } if (ct != null && !CONTENT_TYPES.contains(ct)) { // type present and not in blacklist return true; } String refHeader = request.getHeader("Referer"); // empty referrer headers are not allowed for POST + relevant // content types (see JCR-3909) if (refHeader == null) { log.debug("POST with content type " + ct + " blocked due to missing referer header field"); return false; } try { String host = new URI(refHeader).getHost(); // test referrer-host equals server or // if it is contained in the set of explicitly allowed host // names boolean ok = host == null || host.equals(request.getServerName()) || allowedReferrerHosts.contains(host); if (!ok) { log.debug("POST with content type " + ct + " blocked due to referer header field being: " + refHeader); } return ok; } catch (URISyntaxException ex) { // referrer malformed -> block access log.debug("POST with content type " + ct + " blocked due to malformed referer header field: " + refHeader); return false; } } } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy