Improved: Check parameters passed in URLs (OFBIZ-13295)

JacquesLeRoux · JacquesLeRoux · commit aa0db808a661 · 2025-10-12T08:17:46.000+02:00
Better completely bypass "Prevents stream exploitation" block in
ControlFilter.java

Also better uses the token bypassPreventsStreamExploitation in
ControlFilterTests

Conflicts handled by hand in ControlFilter.java
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -174,11 +174,10 @@ public void doFilter(HttpServletRequest req, HttpServletResponse resp, FilterCha
         String context = req.getContextPath();
         HttpSession session = req.getSession();
 
-        // Prevents stream exploitation
-        if (!isSolrTest()) {
-            if (!isControlFilterTests()) {
-                UrlServletHelper.setRequestAttributes(req, null, req.getServletContext());
-            }
+        if (!(isSolrTest() || isControlFilterTests())) {
+            // Prevents stream exploitation
+            UrlServletHelper.setRequestAttributes(req, null, req.getServletContext());
+            UrlServletHelper.setRequestAttributes(req, null, req.getServletContext());
             Map<String, Object> parameters = UtilHttp.getParameterMap(req);
             boolean reject = false;
             if (!parameters.isEmpty()) {
@@ -197,10 +196,10 @@ public void doFilter(HttpServletRequest req, HttpServletResponse resp, FilterCha
                             reject = true;
                         }
                     }
-                    if (reject) {
-                        Debug.logError("For security reason this URL is not accepted", MODULE);
-                        throw new RuntimeException("For security reason this URL is not accepted");
-                    }
+                }
+                if (reject) {
+                    Debug.logError("For security reason this URL is not accepted", MODULE);
+                    throw new RuntimeException("For security reason this URL is not accepted");
                 }
             }
         }
diff --git a/framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/ControlFilterTests.java b/framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/ControlFilterTests.java
@@ -58,7 +58,7 @@ public void setUp() {
 
     @Test
     public void filterWithExactAllowedPath() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
         when(config.getInitParameter("redirectPath")).thenReturn("/foo");
         when(config.getInitParameter("allowedPaths")).thenReturn("/foo:/bar");
         when(req.getRequestURI()).thenReturn("/servlet/bar");
@@ -72,7 +72,7 @@ public void filterWithExactAllowedPath() throws Exception {
 
     @Test
     public void filterWithAllowedSubPath() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
         when(config.getInitParameter("redirectPath")).thenReturn("/foo");
         when(config.getInitParameter("allowedPaths")).thenReturn("/foo:/bar");
         when(req.getRequestURI()).thenReturn("/servlet/bar/baz");
@@ -86,7 +86,7 @@ public void filterWithAllowedSubPath() throws Exception {
 
     @Test
     public void filterWithRedirection() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
         when(config.getInitParameter("redirectPath")).thenReturn("/foo");
         when(config.getInitParameter("allowedPaths")).thenReturn("/bar:/baz");
         when(req.getRequestURI()).thenReturn("/missing/path");
@@ -99,7 +99,7 @@ public void filterWithRedirection() throws Exception {
 
     @Test
     public void filterWithURIredirection() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
         when(config.getInitParameter("redirectPath")).thenReturn("http://example.org/foo");
         when(config.getInitParameter("allowedPaths")).thenReturn("/foo:/bar");
         when(req.getRequestURI()).thenReturn("/baz");
@@ -112,7 +112,7 @@ public void filterWithURIredirection() throws Exception {
 
     @Test
     public void bailsOutWithVariousErrorCodes() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
         when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
         when(req.getRequestURI()).thenReturn("/baz");
 
@@ -143,7 +143,7 @@ public void bailsOutWithVariousErrorCodes() throws Exception {
 
     @Test
     public void redirectAllAllowed() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
         when(config.getInitParameter("redirectPath")).thenReturn("/bar");
         when(config.getInitParameter("forceRedirectAll")).thenReturn("Y");
         when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
@@ -157,7 +157,7 @@ public void redirectAllAllowed() throws Exception {
 
     @Test
     public void redirectAllNotAllowed() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
         when(config.getInitParameter("redirectPath")).thenReturn("/bar");
         when(config.getInitParameter("forceRedirectAll")).thenReturn("Y");
         when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
@@ -171,7 +171,7 @@ public void redirectAllNotAllowed() throws Exception {
 
     @Test
     public void redirectAllRecursive() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", "bypassPreventsStreamExploitation");
         when(config.getInitParameter("redirectPath")).thenReturn("/foo");
         when(config.getInitParameter("forceRedirectAll")).thenReturn("Y");
         when(config.getInitParameter("allowedPaths")).thenReturn("/foo");

Original file line number	Diff line number	Diff line change
`@@ -174,11 +174,10 @@ public void doFilter(HttpServletRequest req, HttpServletResponse resp, FilterCha`
`174`	`174`	`String context = req.getContextPath();`
`175`	`175`	`HttpSession session = req.getSession();`
`176`	`176`
`177`		`- // Prevents stream exploitation`
`178`		`- if (!isSolrTest()) {`
`179`		`- if (!isControlFilterTests()) {`
`180`		`- UrlServletHelper.setRequestAttributes(req, null, req.getServletContext());`
`181`		`- }`
	`177`	`+ if (!(isSolrTest() \|\| isControlFilterTests())) {`
	`178`	`+ // Prevents stream exploitation`
	`179`	`+ UrlServletHelper.setRequestAttributes(req, null, req.getServletContext());`
	`180`	`+ UrlServletHelper.setRequestAttributes(req, null, req.getServletContext());`
`182`	`181`	`Map<String, Object> parameters = UtilHttp.getParameterMap(req);`
`183`	`182`	`boolean reject = false;`
`184`	`183`	`if (!parameters.isEmpty()) {`
`@@ -197,10 +196,10 @@ public void doFilter(HttpServletRequest req, HttpServletResponse resp, FilterCha`
`197`	`196`	`reject = true;`
`198`	`197`	`}`
`199`	`198`	`}`
`200`		`- if (reject) {`
`201`		`- Debug.logError("For security reason this URL is not accepted", MODULE);`
`202`		`- throw new RuntimeException("For security reason this URL is not accepted");`
`203`		`- }`
	`199`	`+ }`
	`200`	`+ if (reject) {`
	`201`	`+ Debug.logError("For security reason this URL is not accepted", MODULE);`
	`202`	`+ throw new RuntimeException("For security reason this URL is not accepted");`
`204`	`203`	`}`
`205`	`204`	`}`
`206`	`205`	`}`