Skip to content
Permalink
Browse files Browse the repository at this point in the history
XWIKI-19994: False positive redirect checking
  • Loading branch information
surli committed Sep 5, 2022
1 parent 00af08f commit e4f7f68
Show file tree
Hide file tree
Showing 2 changed files with 131 additions and 1 deletion.
Expand Up @@ -38,7 +38,7 @@
public class XWikiServletResponse implements XWikiResponse
{
private static final Logger LOGGER = LoggerFactory.getLogger(XWikiServletResponse.class);
private static final Pattern ABSOLUTE_URL_PATTERN = Pattern.compile("[a-z0-9]+://.*");
private static final Pattern ABSOLUTE_URL_PATTERN = Pattern.compile("[a-z0-9]+:/[/]?.*");

private HttpServletResponse response;

Expand Down Expand Up @@ -71,6 +71,13 @@ public void sendRedirect(String redirect) throws IOException
return;
}

if (StringUtils.startsWith(redirect, "//")) {
LOGGER.warn("Possible phishing attack, attempting to redirect to [{}]. If this request is legitimate, "
+ "use an actual absolute URL and pay attention to configure properly url.trustedDomains in "
+ "xwiki.properties", redirect);
return;
}

// check for trusted domains, only if the given location is an absolute URL.
if (ABSOLUTE_URL_PATTERN.matcher(redirect).matches()) {
if (!getURLSecurityManager().isDomainTrusted(new URL(redirect))) {
Expand Down
@@ -0,0 +1,123 @@
/*
* See the NOTICE file distributed with this work for additional
* information regarding copyright ownership.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package com.xpn.xwiki.web;

import java.io.IOException;
import java.net.URL;

import javax.servlet.http.HttpServletResponse;

import org.apache.ecs.wml.U;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.xwiki.component.manager.ComponentManager;
import org.xwiki.test.annotation.BeforeComponent;
import org.xwiki.test.junit5.mockito.ComponentTest;
import org.xwiki.test.junit5.mockito.InjectMockComponents;
import org.xwiki.test.junit5.mockito.MockComponent;
import org.xwiki.test.mockito.MockitoComponentManager;
import org.xwiki.url.URLSecurityManager;

import static org.junit.jupiter.api.Assertions.*;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;

/**
* Tests for {@link XWikiServletResponse}.
*
* @version $Id$
*/
@ComponentTest
class XWikiServletResponseTest
{
@MockComponent
private URLSecurityManager urlSecurityManager;

private XWikiServletResponse servletResponse;
private HttpServletResponse httpServletResponse;

@BeforeComponent
void beforeComponent(MockitoComponentManager mockitoComponentManager) throws Exception
{
mockitoComponentManager.registerComponent(ComponentManager.class, "context", mockitoComponentManager);
Utils.setComponentManager(mockitoComponentManager);
}

@BeforeEach
void setup()
{
this.httpServletResponse = mock(HttpServletResponse.class);
this.servletResponse = new XWikiServletResponse(this.httpServletResponse);
}

@Test
void sendRedirect() throws IOException
{
this.servletResponse.sendRedirect("");
verify(this.httpServletResponse, never()).sendRedirect(any());

this.servletResponse.sendRedirect("/xwiki/\n/something/");
verify(this.httpServletResponse, never()).sendRedirect(any());

this.servletResponse.sendRedirect("//xwiki.org/xwiki/something/");
verify(this.httpServletResponse, never()).sendRedirect(any());

String redirect = "http://xwiki.org/xwiki/something/";
URL redirectUrl = new URL(redirect);
when(this.urlSecurityManager.isDomainTrusted(redirectUrl)).thenReturn(false);
this.servletResponse.sendRedirect(redirect);
verify(this.httpServletResponse, never()).sendRedirect(any());
verify(this.urlSecurityManager).isDomainTrusted(redirectUrl);

redirect = "http:/xwiki.com/xwiki/something/";
redirectUrl = new URL(redirect);
when(this.urlSecurityManager.isDomainTrusted(redirectUrl)).thenReturn(false);
this.servletResponse.sendRedirect(redirect);
verify(this.httpServletResponse, never()).sendRedirect(any());
verify(this.urlSecurityManager).isDomainTrusted(redirectUrl);

redirect = "https://floo";
redirectUrl = new URL(redirect);
when(this.urlSecurityManager.isDomainTrusted(redirectUrl)).thenReturn(false);
this.servletResponse.sendRedirect(redirect);
verify(this.httpServletResponse, never()).sendRedirect(any());
verify(this.urlSecurityManager).isDomainTrusted(redirectUrl);

redirect = "ftp://xwiki.org/xwiki/something/";
redirectUrl = new URL(redirect);
when(this.urlSecurityManager.isDomainTrusted(redirectUrl)).thenReturn(false);
this.servletResponse.sendRedirect(redirect);
verify(this.httpServletResponse, never()).sendRedirect(any());
verify(this.urlSecurityManager).isDomainTrusted(redirectUrl);

this.servletResponse.sendRedirect("/xwiki/something/");
verify(this.httpServletResponse).sendRedirect("/xwiki/something/");

redirect = "http://xwiki.org/foo/";
redirectUrl = new URL(redirect);
when(this.urlSecurityManager.isDomainTrusted(redirectUrl)).thenReturn(true);
this.servletResponse.sendRedirect(redirect);
verify(this.httpServletResponse).sendRedirect(redirect);
verify(this.urlSecurityManager).isDomainTrusted(redirectUrl);
}
}

0 comments on commit e4f7f68

Please sign in to comment.