LUTECE-2206 : Avoid open redirect when modifying a theme

seboo · seboo · commit bdf113399939 · 2018-08-08T14:39:06.000+02:00
diff --git a/src/java/fr/paris/lutece/portal/web/style/ThemesJspBean.java b/src/java/fr/paris/lutece/portal/web/style/ThemesJspBean.java
@@ -138,7 +138,8 @@ public String doModifyUserTheme( HttpServletRequest request, HttpServletResponse
         String strTheme = request.getParameter( PARAMETER_THEME );
         String strForwardUrl = request.getParameter( PARAMETER_URL );
 
-        if ( !SecurityUtil.containsCleanParameters( request ) )
+        if ( !SecurityUtil.containsCleanParameters( request ) 
+                || !SecurityUtil.isForwardUrlValid( strForwardUrl, request) )
         {
             return AppPathService.getBaseUrl( request );
         }
diff --git a/src/java/fr/paris/lutece/util/http/SecurityUtil.java b/src/java/fr/paris/lutece/util/http/SecurityUtil.java
@@ -33,6 +33,7 @@
  */
 package fr.paris.lutece.util.http;
 
+import fr.paris.lutece.portal.service.util.AppPathService;
 import fr.paris.lutece.portal.web.LocalVariables;
 import fr.paris.lutece.util.string.StringUtil;
 
@@ -266,6 +267,40 @@ public static String getRealIp( HttpServletRequest request )
 
         return strIPAddress;
     }
+    
+    /**
+     * Validate a forward URL to avoid open redirect
+     * the url should :
+     *      - not be blank (null or empty string or spaces)
+     *      - start with the base URL, or not start with "http" or "//"
+     * 
+     * example with a base url "https://lutece.fr/ :
+     *      - valid : /jsp/site/Portal.jsp , Another.jsp , https://lutece.fr/jsp/site/Portal.jsp
+     *      - invalid : http://anothersite.com , https://anothersite.com , //anothersite.com , file://my.txt , ...
+     * 
+     * @param strForwardUrl
+     * @param request
+     * @return true if valid
+     */
+    public static boolean isForwardUrlValid( String strForwardUrl, HttpServletRequest request )
+    {
+
+        if ( StringUtils.isBlank( strForwardUrl) ) return false ;
+
+        if ( ( strForwardUrl.startsWith( "//" ) || strForwardUrl.contains( "://" ) )
+                && !strForwardUrl.startsWith ( AppPathService.getBaseUrl( request ) ) )
+        {
+            Logger logger = Logger.getLogger( LOGGER_NAME );
+            logger.warn( "SECURITY WARNING : OPEN_REDIRECT DETECTED : " + dumpRequest( request ) );
+
+            return false;
+        }
+        else
+        {
+            return true;
+        }
+    }
+
 
     /**
      * Identify user data saved in log files to prevent Log Forging attacks
diff --git a/src/test/java/fr/paris/lutece/util/http/SecurityUtilTest.java b/src/test/java/fr/paris/lutece/util/http/SecurityUtilTest.java
@@ -84,4 +84,47 @@ public void testContainsCleanParameters( )
         request.setParameter( "param4", "}" );
         assertTrue( SecurityUtil.containsCleanParameters( request ) );
     }
+
+
+    /**
+     * Test of isForwardUrlValid method, of class SecurityUtil, to avoid open redirect
+     */
+    @Test
+    public void testisForwardUrlValid( )
+    {
+        System.out.println( "isForwardUrlValid" );
+
+        MockHttpServletRequest request = new MockHttpServletRequest( );
+
+        String strForwardUrl = null;
+        assertFalse( SecurityUtil.isForwardUrlValid( strForwardUrl, request) );
+
+        strForwardUrl = "";
+        request.setParameter( "url", strForwardUrl );
+        assertFalse( SecurityUtil.isForwardUrlValid( strForwardUrl, request ) );
+
+        strForwardUrl = "http://anothersite.com";
+        request.setParameter( "url", strForwardUrl );
+        assertFalse( SecurityUtil.isForwardUrlValid( strForwardUrl, request ) );
+
+        strForwardUrl = "//anothersite.com";
+        request.setParameter( "url", strForwardUrl );
+        assertFalse( SecurityUtil.isForwardUrlValid( strForwardUrl, request ) );
+
+        strForwardUrl = "file://my.txt";
+        request.setParameter( "url", strForwardUrl );
+        assertFalse( SecurityUtil.isForwardUrlValid( strForwardUrl, request ) );
+
+        strForwardUrl = "/jsp/site/Portal.jsp";
+        request.setParameter( "url", strForwardUrl );
+        assertTrue( SecurityUtil.isForwardUrlValid( strForwardUrl, request ) );
+
+        strForwardUrl = "Another.jsp";
+        request.setParameter( "url", strForwardUrl );
+        assertTrue( SecurityUtil.isForwardUrlValid( strForwardUrl, request ) );
+
+        strForwardUrl = "http://localhost/myapp/jsp/site/Portal.jsp";
+        request.setParameter( "url", strForwardUrl );
+        assertTrue( SecurityUtil.isForwardUrlValid( strForwardUrl, request ) );
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -138,7 +138,8 @@ public String doModifyUserTheme( HttpServletRequest request, HttpServletResponse`
`138`	`138`	`String strTheme = request.getParameter( PARAMETER_THEME );`
`139`	`139`	`String strForwardUrl = request.getParameter( PARAMETER_URL );`
`140`	`140`
`141`		`- if ( !SecurityUtil.containsCleanParameters( request ) )`
	`141`	`+ if ( !SecurityUtil.containsCleanParameters( request )`
	`142`	`+ \|\| !SecurityUtil.isForwardUrlValid( strForwardUrl, request) )`
`142`	`143`	`{`
`143`	`144`	`return AppPathService.getBaseUrl( request );`
`144`	`145`	`}`