SONAR-8423 Properly fail on invalid basic header

SonarSource · Nov 28, 2016 · 3383b0f · 3383b0f
1 parent aa13239
commit 3383b0f
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 9 deletions.
diff --git a/server/sonar-server/src/main/java/org/sonar/server/authentication/BasicAuthenticator.java b/server/sonar-server/src/main/java/org/sonar/server/authentication/BasicAuthenticator.java
@@ -65,7 +65,7 @@ public Optional<UserDto> authenticate(HttpServletRequest request) {
 
   private static String[] getCredentials(String authorizationHeader) {
     String basicAuthEncoded = authorizationHeader.substring(6);
-    String basicAuthDecoded = new String(BASE64_DECODER.decode(basicAuthEncoded.getBytes(Charsets.UTF_8)), Charsets.UTF_8);
+    String basicAuthDecoded = getDecodedBasicAuth(basicAuthEncoded);
 
     int semiColonPos = basicAuthDecoded.indexOf(':');
     if (semiColonPos <= 0) {
@@ -76,6 +76,14 @@ private static String[] getCredentials(String authorizationHeader) {
     return new String[] {login, password};
   }
 
+  private static String getDecodedBasicAuth(String basicAuthEncoded) {
+    try {
+      return new String(BASE64_DECODER.decode(basicAuthEncoded.getBytes(Charsets.UTF_8)), Charsets.UTF_8);
+    } catch (Exception e) {
+      throw new UnauthorizedException("Invalid basic header");
+    }
+  }
+
   private UserDto authenticate(String login, String password, HttpServletRequest request) {
     if (isEmpty(password)) {
       return authenticateFromUserToken(login);

diff --git a/...er/sonar-server/src/test/java/org/sonar/server/authentication/BasicAuthenticatorTest.java b/...er/sonar-server/src/test/java/org/sonar/server/authentication/BasicAuthenticatorTest.java
@@ -20,14 +20,6 @@
 
 package org.sonar.server.authentication;
 
-import static com.google.common.base.Charsets.UTF_8;
-import static org.assertj.core.api.Java6Assertions.assertThat;
-import static org.junit.rules.ExpectedException.none;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.verifyZeroInteractions;
-import static org.mockito.Mockito.when;
-
 import java.util.Base64;
 import java.util.Optional;
 import javax.servlet.http.HttpServletRequest;
@@ -44,6 +36,14 @@
 import org.sonar.server.exceptions.UnauthorizedException;
 import org.sonar.server.usertoken.UserTokenAuthenticator;
 
+import static com.google.common.base.Charsets.UTF_8;
+import static org.assertj.core.api.Java6Assertions.assertThat;
+import static org.junit.rules.ExpectedException.none;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.when;
+
 public class BasicAuthenticatorTest {
 
   private static final Base64.Encoder BASE64_ENCODER = Base64.getEncoder();
@@ -117,6 +117,15 @@ public void fail_to_authenticate_when_no_login() throws Exception {
     underTest.authenticate(request);
   }
 
+  @Test
+  public void fail_to_authenticate_when_invalid_header() throws Exception {
+    when(request.getHeader("Authorization")).thenReturn("Basic Invàlid");
+
+    expectedException.expect(UnauthorizedException.class);
+    expectedException.expectMessage("Invalid basic header");
+    underTest.authenticate(request);
+  }
+
   @Test
   public void authenticate_from_user_token() throws Exception {
     insertUser(UserTesting.newUserDto().setLogin(LOGIN));