LUTECE-2206 : Avoid open redirect when modifying a theme

Author: seboo

src/java/fr/paris/lutece/portal/web/style/ThemesJspBean.java

@@ -40,6 +40,7 @@
 import fr.paris.lutece.portal.service.portal.ThemesService;
 import fr.paris.lutece.portal.service.template.AppTemplateService;
 import fr.paris.lutece.portal.service.util.AppPathService;
+import fr.paris.lutece.portal.service.util.AppPropertiesService;
 import fr.paris.lutece.portal.web.admin.AdminFeaturesPageJspBean;
 import fr.paris.lutece.portal.web.constants.Messages;
 import fr.paris.lutece.util.html.HtmlTemplate;
@@ -137,8 +138,10 @@ public String doModifyUserTheme( HttpServletRequest request, HttpServletResponse
     {
         String strTheme = request.getParameter( PARAMETER_THEME );
         String strForwardUrl = request.getParameter( PARAMETER_URL );
+        String strAntPathMatcherPatternsValues = AppPropertiesService.getProperty( SecurityUtil.PROPERTY_ANTPATHMATCHER_PATTERNS );
 
-        if ( !SecurityUtil.containsCleanParameters( request ) )
+        if ( !SecurityUtil.containsCleanParameters( request )
+                || !SecurityUtil.isRedirectUrlSafe( strForwardUrl, request, strAntPathMatcherPatternsValues) )
         {
             return AppPathService.getBaseUrl( request );
         }

src/java/fr/paris/lutece/util/http/SecurityUtil.java

@@ -33,6 +33,7 @@
  */
 package fr.paris.lutece.util.http;
 
+import fr.paris.lutece.portal.service.util.AppPathService;
 import fr.paris.lutece.portal.web.LocalVariables;
 import fr.paris.lutece.util.string.StringUtil;
 
@@ -43,6 +44,7 @@
 import java.util.Enumeration;
 
 import javax.servlet.http.HttpServletRequest;
+import org.springframework.util.AntPathMatcher;
 
 /**
  * Security utils
@@ -54,13 +56,16 @@ public final class SecurityUtil
     private static final String CONSTANT_HTTP_HEADER_X_FORWARDED_FOR = "X-Forwarded-For";
     private static final String PATTERN_IP_ADDRESS = "^([0-9]{1,3}\\.){3}[0-9]{1,3}$";
     private static final String CONSTANT_COMMA = ",";
+    private static final String CONSTANT_PATH_SEPARATOR = "." ;
     private static final String [ ] XXE_TERMS = {
             "!DOCTYPE", "!ELEMENT", "!ENTITY"
     };
     private static final String [ ] PATH_MANIPULATION = {
             "..", "/", "\\"
     };
 
+    public static final String PROPERTY_ANTPATHMATCHER_PATTERNS = "lutece.security.antpathmatcher.patterns";
+
     // private static final String PATTERN_CLEAN_PARAMETER = "^[\\w/]+$+";
 
     /**
@@ -266,6 +271,75 @@ public static String getRealIp( HttpServletRequest request )
 
         return strIPAddress;
     }
+    
+    /**
+     * Validate a forward URL to avoid open redirect
+     * [see isRedirectUrlSafe(String, HttpServletRequest, String)]
+     * 
+     * @param strUrl
+     * @param request
+     * @return true if valid
+     */
+    public static boolean isRedirectUrlSafe( String strUrl, HttpServletRequest request )
+    {
+        return isRedirectUrlSafe( strUrl, request, null );
+    }
+
+
+    /**
+     * Validate a forward URL to avoid open redirect
+     * the url should :
+     *      - not be blank (null or empty string or spaces)
+     *      - not start with "http://" or "https://" or "//" OR match the base URL or any URL in the pattern list 
+     * 
+     * example with a base url "https://lutece.fr/ :
+     *      - valid : myapp/jsp/site/Portal.jsp , Another.jsp , https://lutece.fr/myapp/jsp/site/Portal.jsp
+     *      - invalid : http://anothersite.com , https://anothersite.com , //anothersite.com , file://my.txt , ...
+     * 
+     * 
+     * @param strUrl the Url to validate
+     * @param request the current request (containing the baseUrl)
+     * @param strAntPathMatcherPatterns a comma separated list of AntPathMatcher patterns, as "http://**.lutece.com,https://**.lutece.com"
+     * @return true if valid
+     */
+    public static boolean isRedirectUrlSafe( String strUrl, HttpServletRequest request, String strAntPathMatcherPatterns )
+    {
+
+        if ( StringUtils.isBlank( strUrl) ) return false ;
+	AntPathMatcher pathMatcher = new AntPathMatcher();
+        pathMatcher.setPathSeparator( CONSTANT_PATH_SEPARATOR );
+
+        if ( !strUrl.startsWith( "//" ) && !strUrl.startsWith("http://" ) && !strUrl.startsWith("https://" ) && !strUrl.startsWith("javascript:" ) )
+        {
+            // relative path
+            return true ;
+        }
+        else 
+        {
+            // check base urls
+            if ( !pathMatcher.matchStart( strUrl, AppPathService.getBaseUrl( request ) ) )
+                    return true ;
+
+            if ( strAntPathMatcherPatterns != null )
+            {
+                String[] strAntPathMatcherPatternsTab =  strAntPathMatcherPatterns.split( CONSTANT_COMMA ) ;
+                for ( String pattern : strAntPathMatcherPatternsTab )
+                {
+                    if ( pattern != null && pathMatcher.match( pattern , strUrl ) )
+                        return true ;
+                }
+            }
+
+
+            // the Url does not match the allowed patterns
+            Logger logger = Logger.getLogger( LOGGER_NAME );
+            logger.warn( "SECURITY WARNING : OPEN_REDIRECT DETECTED : " + dumpRequest( request ) );
+
+            return false;
+        }
+
+    }
+
 
     /**
      * Identify user data saved in log files to prevent Log Forging attacks

src/test/java/fr/paris/lutece/util/http/SecurityUtilTest.java

@@ -84,4 +84,52 @@ public void testContainsCleanParameters( )
         request.setParameter( "param4", "}" );
         assertTrue( SecurityUtil.containsCleanParameters( request ) );
     }
+
+
+    /**
+     * Test of isRedirectUrlSafe method, of class SecurityUtil, to avoid open redirect
+     */
+    @Test
+    public void testIsRedirectUrlSafe( )
+    {
+        System.out.println( "isRedirectUrlSafe" );
+
+        MockHttpServletRequest request = new MockHttpServletRequest( );
+
+        String strUrl = null;
+        assertFalse( SecurityUtil.isRedirectUrlSafe( strUrl, request) );
+
+        strUrl = "";
+        request.setParameter( "url", strUrl );
+        assertFalse( SecurityUtil.isRedirectUrlSafe( strUrl, request ) );
+
+        strUrl = "http://anothersite.com";
+        request.setParameter( "url", strUrl );
+        assertFalse( SecurityUtil.isRedirectUrlSafe( strUrl, request ) );
+
+        strUrl = "//anothersite.com";
+        request.setParameter( "url", strUrl );
+        assertFalse( SecurityUtil.isRedirectUrlSafe( strUrl, request ) );
+
+        strUrl = "file://my.txt";
+        request.setParameter( "url", strUrl );
+        assertFalse( SecurityUtil.isRedirectUrlSafe( strUrl, request ) );
+
+        strUrl = "javascript:alert('hello');";
+        request.setParameter( "url", strUrl );
+        assertFalse( SecurityUtil.isRedirectUrlSafe( strUrl, request ) );
+
+        strUrl = "/jsp/site/Portal.jsp";
+        request.setParameter( "url", strUrl );
+        assertTrue( SecurityUtil.isRedirectUrlSafe( strUrl, request ) );
+
+        strUrl = "Another.jsp";
+        request.setParameter( "url", strUrl );
+        assertTrue( SecurityUtil.isRedirectUrlSafe( strUrl, request ) );
+
+        strUrl = "http://localhost/myapp/jsp/site/Portal.jsp";
+        request.setParameter( "url", strUrl );
+        assertTrue( SecurityUtil.isRedirectUrlSafe( strUrl, request ) );
+
+    }
 }