Skip to content

Commit

Permalink
fix: detect Flow PUSH requests as internal framework requests (#19085) (
Browse files Browse the repository at this point in the history 
#19110)

HandlerHelper is currently not considering Flow PUSH requests
(/VAADIN/push) as internal, preventing VaadinWebSecurity to
ignore CSRF checks.
The issues happen only for ping requests; the connection request
is not affected because it is a GET request.

Fixes #19075

Co-authored-by: Marco Collovati <marco@vaadin.com>
  • Loading branch information
@vaadin-bot @mcollovati
vaadin-bot and mcollovati committed Apr 4, 2024
1 parent 86d36d9 commit bd9bf0e
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 4 deletions.
4 changes: 4 additions & 0 deletions flow-server/src/main/java/com/vaadin/flow/server/HandlerHelper.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,10 @@ private static boolean isFrameworkInternalRequest(String servletMappingPath,
requestedPathWithoutServletMapping.get(),
requestTypeParameter)) {
return true;
} else if (RequestType.PUSH.getIdentifier().equals(requestTypeParameter)
&& "VAADIN/push"
.equals(requestedPathWithoutServletMapping.get())) {
return true;
} else if (isUploadRequest(requestedPathWithoutServletMapping.get())) {
return true;
} else if (isHillaPush(requestedPathWithoutServletMapping.get())) {
Expand Down
26 changes: 22 additions & 4 deletions flow-server/src/test/java/com/vaadin/flow/server/HandlerHelperTest.java
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
package com.vaadin.flow.server;

import jakarta.servlet.http.HttpServletRequest;

import java.util.Collections;
import java.util.HashSet;
import java.util.Optional;
import java.util.Set;

import jakarta.servlet.http.HttpServletRequest;

import com.vaadin.flow.server.HandlerHelper.RequestType;

import org.junit.Assert;
import org.junit.Test;
import org.mockito.Mockito;

import com.vaadin.flow.server.HandlerHelper.RequestType;

public class HandlerHelperTest {

private HttpServletRequest createRequest(String pathInfo,
Expand Down Expand Up @@ -216,6 +216,24 @@ public void isFrameworkInternalRequest_hillaPushUrl() {
request.getHttpServletRequest()));
}

@Test
public void isFrameworkInternalRequest_flowPushUrl() {
VaadinServletRequest request = createVaadinRequest("VAADIN/push", "",
RequestType.PUSH);

Assert.assertTrue(HandlerHelper.isFrameworkInternalRequest("/*",
request.getHttpServletRequest()));
}

@Test
public void isFrameworkInternalRequest_vaadinServletMapping_flowPushUrl() {
VaadinServletRequest request = createVaadinRequest("/VAADIN/push",
"/ui", RequestType.PUSH);

Assert.assertTrue(HandlerHelper.isFrameworkInternalRequest("/ui/*",
request.getHttpServletRequest()));
}

@Test
public void isFrameworkInternalRequest_fakeUploadUrl() {
VaadinServletRequest request = createVaadinRequest(
Expand Down

0 comments on commit bd9bf0e

Please sign in to comment.