-
Notifications
You must be signed in to change notification settings - Fork 5.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Closes gh-15967
- Loading branch information
Showing
10 changed files
with
1,805 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
202 changes: 202 additions & 0 deletions
202
docs/modules/ROOT/pages/reactive/exploits/firewall.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,202 @@ | ||
| [[webflux-serverwebexchangefirewall]] | ||
| = ServerWebExchangeFirewall | ||
|
|
||
| There are various ways a request can be created by malicious users that can exploit applications. | ||
| Spring Security provides the `ServerWebExchangeFirewall` to allow rejecting requests that look malicious. | ||
| The default implementation is `StrictServerWebExchangeFirewall` which rejects malicious requests. | ||
|
|
||
| For example a request could contain path-traversal sequences (such as `/../`) or multiple forward slashes (`//`) that could also cause pattern-matches to fail. | ||
| Some containers normalize these out before performing the servlet mapping, but others do not. | ||
| To protect against issues like these, `WebFilterChainProxy` uses a `ServerWebExchangeFirewall` strategy to check and wrap the request. | ||
| By default, un-normalized requests are automatically rejected, and path parameters are removed for matching purposes. | ||
| (So, for example, an original request path of `/secure;hack=1/somefile.html;hack=2` is returned as `/secure/somefile.html`.) | ||
| It is, therefore, essential that a `WebFilterChainProxy` is used. | ||
|
|
||
| In practice, we recommend that you use method security at your service layer, to control access to your application, rather than rely entirely on the use of security constraints defined at the web-application level. | ||
| URLs change, and it is difficult to take into account all the possible URLs that an application might support and how requests might be manipulated. | ||
| You should restrict yourself to using a few simple patterns that are simple to understand. | ||
| Always try to use a "`deny-by-default`" approach, where you have a catch-all wildcard (`/**` or `**`) defined last to deny access. | ||
|
|
||
| Security defined at the service layer is much more robust and harder to bypass, so you should always take advantage of Spring Security's method security options. | ||
|
|
||
| You can customize the `ServerWebExchangeFirewall` by exposing it as a Bean. | ||
|
|
||
| .Allow Matrix Variables | ||
| [tabs] | ||
| ====== | ||
| Java:: | ||
| + | ||
| [source,java,role="primary"] | ||
| ---- | ||
| @Bean | ||
| public StrictServerWebExchangeFirewall httpFirewall() { | ||
| StrictServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall(); | ||
| firewall.setAllowSemicolon(true); | ||
| return firewall; | ||
| } | ||
| ---- | ||
| Kotlin:: | ||
| + | ||
| [source,kotlin,role="secondary"] | ||
| ---- | ||
| @Bean | ||
| fun httpFirewall(): StrictServerWebExchangeFirewall { | ||
| val firewall = StrictServerWebExchangeFirewall() | ||
| firewall.setAllowSemicolon(true) | ||
| return firewall | ||
| } | ||
| ---- | ||
| ====== | ||
|
|
||
| To protect against https://www.owasp.org/index.php/Cross_Site_Tracing[Cross Site Tracing (XST)] and https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)[HTTP Verb Tampering], the `StrictServerWebExchangeFirewall` provides an allowed list of valid HTTP methods that are allowed. | ||
| The default valid methods are `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, and `PUT`. | ||
| If your application needs to modify the valid methods, you can configure a custom `StrictServerWebExchangeFirewall` bean. | ||
| The following example allows only HTTP `GET` and `POST` methods: | ||
|
|
||
|
|
||
| .Allow Only GET & POST | ||
| [tabs] | ||
| ====== | ||
| Java:: | ||
| + | ||
| [source,java,role="primary"] | ||
| ---- | ||
| @Bean | ||
| public StrictServerWebExchangeFirewall httpFirewall() { | ||
| StrictServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall(); | ||
| firewall.setAllowedHttpMethods(Arrays.asList("GET", "POST")); | ||
| return firewall; | ||
| } | ||
| ---- | ||
| Kotlin:: | ||
| + | ||
| [source,kotlin,role="secondary"] | ||
| ---- | ||
| @Bean | ||
| fun httpFirewall(): StrictServerWebExchangeFirewall { | ||
| val firewall = StrictServerWebExchangeFirewall() | ||
| firewall.setAllowedHttpMethods(listOf("GET", "POST")) | ||
| return firewall | ||
| } | ||
| ---- | ||
| ====== | ||
|
|
||
| If you must allow any HTTP method (not recommended), you can use `StrictServerWebExchangeFirewall.setUnsafeAllowAnyHttpMethod(true)`. | ||
| Doing so entirely disables validation of the HTTP method. | ||
|
|
||
|
|
||
| [[webflux-serverwebexchangefirewall-headers-parameters]] | ||
| `StrictServerWebExchangeFirewall` also checks header names and values and parameter names. | ||
| It requires that each character have a defined code point and not be a control character. | ||
|
|
||
| This requirement can be relaxed or adjusted as necessary by using the following methods: | ||
|
|
||
| * `StrictServerWebExchangeFirewall#setAllowedHeaderNames(Predicate)` | ||
| * `StrictServerWebExchangeFirewall#setAllowedHeaderValues(Predicate)` | ||
| * `StrictServerWebExchangeFirewall#setAllowedParameterNames(Predicate)` | ||
|
|
||
| [NOTE] | ||
| ==== | ||
| Parameter values can be also controlled with `setAllowedParameterValues(Predicate)`. | ||
| ==== | ||
|
|
||
| For example, to switch off this check, you can wire your `StrictServerWebExchangeFirewall` with `Predicate` instances that always return `true`: | ||
|
|
||
| .Allow Any Header Name, Header Value, and Parameter Name | ||
| [tabs] | ||
| ====== | ||
| Java:: | ||
| + | ||
| [source,java,role="primary"] | ||
| ---- | ||
| @Bean | ||
| public StrictServerWebExchangeFirewall httpFirewall() { | ||
| StrictServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall(); | ||
| firewall.setAllowedHeaderNames((header) -> true); | ||
| firewall.setAllowedHeaderValues((header) -> true); | ||
| firewall.setAllowedParameterNames((parameter) -> true); | ||
| return firewall; | ||
| } | ||
| ---- | ||
| Kotlin:: | ||
| + | ||
| [source,kotlin,role="secondary"] | ||
| ---- | ||
| @Bean | ||
| fun httpFirewall(): StrictServerWebExchangeFirewall { | ||
| val firewall = StrictServerWebExchangeFirewall() | ||
| firewall.setAllowedHeaderNames { true } | ||
| firewall.setAllowedHeaderValues { true } | ||
| firewall.setAllowedParameterNames { true } | ||
| return firewall | ||
| } | ||
| ---- | ||
| ====== | ||
|
|
||
| Alternatively, there might be a specific value that you need to allow. | ||
|
|
||
| For example, iPhone Xʀ uses a `User-Agent` that includes a character that is not in the ISO-8859-1 charset. | ||
| Due to this fact, some application servers parse this value into two separate characters, the latter being an undefined character. | ||
|
|
||
| You can address this with the `setAllowedHeaderValues` method: | ||
|
|
||
| .Allow Certain User Agents | ||
| [tabs] | ||
| ====== | ||
| Java:: | ||
| + | ||
| [source,java,role="primary"] | ||
| ---- | ||
| @Bean | ||
| public StrictServerWebExchangeFirewall httpFirewall() { | ||
| StrictServerWebExchangeFirewall firewall = new StrictServerWebExchangeFirewall(); | ||
| Pattern allowed = Pattern.compile("[\\p{IsAssigned}&&[^\\p{IsControl}]]*"); | ||
| Pattern userAgent = ...; | ||
| firewall.setAllowedHeaderValues((header) -> allowed.matcher(header).matches() || userAgent.matcher(header).matches()); | ||
| return firewall; | ||
| } | ||
| ---- | ||
| Kotlin:: | ||
| + | ||
| [source,kotlin,role="secondary"] | ||
| ---- | ||
| @Bean | ||
| fun httpFirewall(): StrictServerWebExchangeFirewall { | ||
| val firewall = StrictServerWebExchangeFirewall() | ||
| val allowed = Pattern.compile("[\\p{IsAssigned}&&[^\\p{IsControl}]]*") | ||
| val userAgent = Pattern.compile(...) | ||
| firewall.setAllowedHeaderValues { allowed.matcher(it).matches() || userAgent.matcher(it).matches() } | ||
| return firewall | ||
| } | ||
| ---- | ||
| ====== | ||
|
|
||
| In the case of header values, you may instead consider parsing them as UTF-8 at verification time: | ||
|
|
||
| .Parse Headers As UTF-8 | ||
| [tabs] | ||
| ====== | ||
| Java:: | ||
| + | ||
| [source,java,role="primary"] | ||
| ---- | ||
| firewall.setAllowedHeaderValues((header) -> { | ||
| String parsed = new String(header.getBytes(ISO_8859_1), UTF_8); | ||
| return allowed.matcher(parsed).matches(); | ||
| }); | ||
| ---- | ||
| Kotlin:: | ||
| + | ||
| [source,kotlin,role="secondary"] | ||
| ---- | ||
| firewall.setAllowedHeaderValues { | ||
| val parsed = String(header.getBytes(ISO_8859_1), UTF_8) | ||
| return allowed.matcher(parsed).matches() | ||
| } | ||
| ---- | ||
| ====== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
66 changes: 66 additions & 0 deletions
66
...a/org/springframework/security/web/server/firewall/HttpStatusExchangeRejectedHandler.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| /* | ||
| * Copyright 2002-2024 the original author or authors. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| package org.springframework.security.web.server.firewall; | ||
|
|
||
| import org.apache.commons.logging.Log; | ||
| import org.apache.commons.logging.LogFactory; | ||
| import reactor.core.publisher.Mono; | ||
|
|
||
| import org.springframework.core.log.LogMessage; | ||
| import org.springframework.http.HttpStatus; | ||
| import org.springframework.web.server.ServerWebExchange; | ||
|
|
||
| /** | ||
| * A simple implementation of {@link ServerExchangeRejectedHandler} that sends an error | ||
| * with configurable status code. | ||
| * | ||
| * @author Rob Winch | ||
| * @since 5.7.13 | ||
| */ | ||
| public class HttpStatusExchangeRejectedHandler implements ServerExchangeRejectedHandler { | ||
|
|
||
| private static final Log logger = LogFactory.getLog(HttpStatusExchangeRejectedHandler.class); | ||
|
|
||
| private final HttpStatus status; | ||
|
|
||
| /** | ||
| * Constructs an instance which uses {@code 400} as response code. | ||
| */ | ||
| public HttpStatusExchangeRejectedHandler() { | ||
| this(HttpStatus.BAD_REQUEST); | ||
| } | ||
|
|
||
| /** | ||
| * Constructs an instance which uses a configurable http code as response. | ||
| * @param status http status code to use | ||
| */ | ||
| public HttpStatusExchangeRejectedHandler(HttpStatus status) { | ||
| this.status = status; | ||
| } | ||
|
|
||
| @Override | ||
| public Mono<Void> handle(ServerWebExchange exchange, | ||
| ServerExchangeRejectedException serverExchangeRejectedException) { | ||
| return Mono.fromRunnable(() -> { | ||
| logger.debug( | ||
| LogMessage.format("Rejecting request due to: %s", serverExchangeRejectedException.getMessage()), | ||
| serverExchangeRejectedException); | ||
| exchange.getResponse().setStatusCode(this.status); | ||
| }); | ||
| } | ||
|
|
||
| } |
31 changes: 31 additions & 0 deletions
31
...ava/org/springframework/security/web/server/firewall/ServerExchangeRejectedException.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| /* | ||
| * Copyright 2002-2024 the original author or authors. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| package org.springframework.security.web.server.firewall; | ||
|
|
||
| /** | ||
| * Thrown when a {@link org.springframework.web.server.ServerWebExchange} is rejected. | ||
| * | ||
| * @author Rob Winch | ||
| * @since 5.7.13 | ||
| */ | ||
| public class ServerExchangeRejectedException extends RuntimeException { | ||
|
|
||
| public ServerExchangeRejectedException(String message) { | ||
| super(message); | ||
| } | ||
|
|
||
| } |
Oops, something went wrong.