Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Fix non-standard HTTP method for CsrfWebFilter

Closes gh-8452
Rob Winch 5 years ago
parent
6db514a4e2 4473dca022
commit
8d447633f4
2 changed files with 18 additions and 3 deletions
Unified View Show Diff Stats
  1. 3 2
      web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java
  2. 15 1
      web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java

+ 3 - 2
web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java
View File 

@@ -1,5 +1,5 @@
 
 /*
 
 /*
 
- * Copyright 2002-2017 the original author or authors.
 
+ * Copyright 2002-2020 the original author or authors.
 
  *
 
  *
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * you may not use this file except in compliance with the License.
 
  * you may not use this file except in compliance with the License.
 
@@ -60,6 +60,7 @@ import static java.lang.Boolean.TRUE;
 
  * </p>
 
  * </p>
 
  *
 
  *
 
  * @author Rob Winch
 
  * @author Rob Winch
 
+ * @author Parikshit Dutta
 
  * @since 5.0
 
  * @since 5.0
 
  */
 
  */
 
 public class CsrfWebFilter implements WebFilter {
 
 public class CsrfWebFilter implements WebFilter {
 
@@ -187,7 +188,7 @@ public class CsrfWebFilter implements WebFilter {
 
 		@Override
 
 		@Override
 
 		public Mono<MatchResult> matches(ServerWebExchange exchange) {
 
 		public Mono<MatchResult> matches(ServerWebExchange exchange) {
 
 			return Mono.just(exchange.getRequest())
 
 			return Mono.just(exchange.getRequest())
 
-				.map(r -> r.getMethod())
 
+				.flatMap(r -> Mono.justOrEmpty(r.getMethod()))
 
 				.filter(m -> ALLOWED_METHODS.contains(m))
 
 				.filter(m -> ALLOWED_METHODS.contains(m))
 
 				.flatMap(m -> MatchResult.notMatch())
 
 				.flatMap(m -> MatchResult.notMatch())
 
 				.switchIfEmpty(MatchResult.match());
 
 				.switchIfEmpty(MatchResult.match());

+ 15 - 1
web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java
View File 

@@ -1,5 +1,5 @@
 
 /*
 
 /*
 
- * Copyright 2002-2017 the original author or authors.
 
+ * Copyright 2002-2020 the original author or authors.
 
  *
 
  *
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * you may not use this file except in compliance with the License.
 
  * you may not use this file except in compliance with the License.
 
@@ -20,11 +20,14 @@ import org.junit.Test;
 
 import org.junit.runner.RunWith;
 
 import org.junit.runner.RunWith;
 
 import org.mockito.Mock;
 
 import org.mockito.Mock;
 
 import org.mockito.junit.MockitoJUnitRunner;
 
 import org.mockito.junit.MockitoJUnitRunner;
 
+
 
+import org.springframework.http.HttpMethod;
 
 import org.springframework.http.HttpStatus;
 
 import org.springframework.http.HttpStatus;
 
 import org.springframework.http.MediaType;
 
 import org.springframework.http.MediaType;
 
 import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
 
 import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
 
 import org.springframework.mock.web.server.MockServerWebExchange;
 
 import org.springframework.mock.web.server.MockServerWebExchange;
 
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
 
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
 
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher.MatchResult;
 
 import org.springframework.test.web.reactive.server.WebTestClient;
 
 import org.springframework.test.web.reactive.server.WebTestClient;
 
 import org.springframework.web.bind.annotation.RequestMapping;
 
 import org.springframework.web.bind.annotation.RequestMapping;
 
 import org.springframework.web.bind.annotation.RestController;
 
 import org.springframework.web.bind.annotation.RestController;
 
@@ -45,6 +48,7 @@ import static org.springframework.web.reactive.function.BodyInserters.fromMultip
 
 
 
 /**
 
 /**
 
  * @author Rob Winch
 
  * @author Rob Winch
 
+ * @author Parikshit Dutta
 
  * @since 5.0
 
  * @since 5.0
 
  */
 
  */
 
 @RunWith(MockitoJUnitRunner.class)
 
 @RunWith(MockitoJUnitRunner.class)
 
@@ -183,6 +187,16 @@ public class CsrfWebFilterTests {
 
 		chainResult.assertWasSubscribed();
 
 		chainResult.assertWasSubscribed();
 
 	}
 
 	}
 
 
 
+	@Test
 
+	// gh-8452
 
+	public void matchesRequireCsrfProtectionWhenNonStandardHTTPMethodIsUsed() {
 
+		HttpMethod customHttpMethod = HttpMethod.resolve("non-standard-http-method");
 
+		MockServerWebExchange nonStandardHttpRequest = from(MockServerHttpRequest.method(customHttpMethod, "/"));
 
+
 
+		ServerWebExchangeMatcher serverWebExchangeMatcher = CsrfWebFilter.DEFAULT_CSRF_MATCHER;
 
+		assertThat(serverWebExchangeMatcher.matches(nonStandardHttpRequest).map(MatchResult::isMatch).block()).isTrue();
 
+	}
 
+
 
 	@Test
 
 	@Test
 
 	public void doFilterWhenSkipExchangeInvokedThenSkips() {
 
 	public void doFilterWhenSkipExchangeInvokedThenSkips() {
 
 		PublisherProbe<Void> chainResult = PublisherProbe.empty();
 
 		PublisherProbe<Void> chainResult = PublisherProbe.empty();