Ticket #21935: 21935.2.patch

File 21935.2.patch, 7.0 KB (added by taylor.smock, 3 years ago)

Add non-regression test

  • src/org/openstreetmap/josm/tools/HttpClient.java 

    diff --git a/src/org/openstreetmap/josm/tools/HttpClient.java b/src/org/openstreetmap/josm/tools/HttpClient.java
index 8d8fba38f7..4abad92b71 100644
    a b public abstract class HttpClient {  
    188188                    throw new IOException(tr("Unexpected response from HTTP server. Got {0} response without ''Location'' header." +
    189189                            " Can''t redirect. Aborting.", cr.getResponseCode()));
    190190                } else if (maxRedirects > 0) {
     191                    final URL oldUrl = url;
    191192                    url = new URL(url, redirectLocation);
    192193                    maxRedirects--;
    193194                    logRequest(tr("Download redirected to ''{0}''", redirectLocation));
     195                    // Fix JOSM #21935: Avoid leaking `Authorization` header on redirects.
     196                    if (!Objects.equals(oldUrl.getHost(), this.url.getHost()) && this.getRequestHeader("Authorization") != null) {
     197                        logRequest(tr("Download redirected to different host (''{0}'' -> ''{1}''), removing authorization headers",
     198                                oldUrl.getHost(), url.getHost()));
     199                        this.headers.remove("Authorization");
     200                    }
    194201                    response = connect();
    195202                    successfulConnection = true;
    196203                    return response;

  • test/functional/org/openstreetmap/josm/tools/HttpClientTest.java 

    diff --git a/test/functional/org/openstreetmap/josm/tools/HttpClientTest.java b/test/functional/org/openstreetmap/josm/tools/HttpClientTest.java
index bdb3b278de..0b181ff4a3 100644
    a b import static org.hamcrest.CoreMatchers.nullValue;  
    1515import static org.hamcrest.CoreMatchers.startsWith;
    1616import static org.hamcrest.MatcherAssert.assertThat;
    1717import static org.hamcrest.text.IsEqualIgnoringCase.equalToIgnoringCase;
     18import static org.junit.jupiter.api.Assertions.assertAll;
    1819import static org.junit.jupiter.api.Assertions.assertEquals;
     20import static org.junit.jupiter.api.Assertions.assertFalse;
    1921import static org.junit.jupiter.api.Assertions.assertThrows;
    2022import static org.junit.jupiter.api.Assertions.assertTrue;
    2123
    import java.nio.file.Path;  
    2931import java.nio.file.Paths;
    3032import java.util.Collections;
    3133import java.util.Map;
     34import java.util.UUID;
    3235import java.util.logging.Handler;
    3336import java.util.logging.LogRecord;
    3437import java.util.regex.Matcher;
    import java.util.stream.Collectors;  
    3740import org.junit.jupiter.api.BeforeEach;
    3841import org.junit.jupiter.api.Test;
    3942import org.junit.jupiter.api.Timeout;
     43import org.junit.jupiter.params.ParameterizedTest;
     44import org.junit.jupiter.params.provider.ValueSource;
    4045import org.openstreetmap.josm.TestUtils;
    4146import org.openstreetmap.josm.data.Version;
    4247import org.openstreetmap.josm.gui.progress.ProgressMonitor;
    import org.openstreetmap.josm.testutils.annotations.HTTP;  
    4651import org.openstreetmap.josm.tools.HttpClient.Response;
    4752
    4853import com.github.tomakehurst.wiremock.WireMockServer;
     54import com.github.tomakehurst.wiremock.admin.model.ServeEventQuery;
    4955import com.github.tomakehurst.wiremock.http.HttpHeader;
    5056import com.github.tomakehurst.wiremock.http.HttpHeaders;
    5157import com.github.tomakehurst.wiremock.matching.UrlPattern;
     58import com.github.tomakehurst.wiremock.stubbing.ServeEvent;
    5259
    5360/**
    5461 * Tests the {@link HttpClient}.
    class HttpClientTest {  
    235242        assertThrows(IOException.class, () -> HttpClient.create(url("/relative-redirect/3")).setMaxRedirects(2).connect(progress));
    236243    }
    237244
     245    /**
     246     * Ensure that we don't leak authorization headers
     247     * See <a href="https://josm.openstreetmap.de/ticket/21935">JOSM #21935</a>
     248     * @param authorization The various authorization configurations to test
     249     */
     250    @ParameterizedTest
     251    @ValueSource(strings = { "Basic dXNlcm5hbWU6cGFzc3dvcmQ=", "Digest username=test_user",
     252            /* OAuth 1.0 for OSM as implemented in JOSM core */
     253            "OAuth oauth_consumer_key=\"test_key\", oauth_nonce=\"1234\", oauth_signature=\"test_signature\", "
     254                    + "oauth_signature_method=\"HMAC-SHA1\", oauth_timestamp=\"0\", oauth_token=\"test_token\", "
     255                    + "oauth_version=\"1.0\"",
     256            /* OAuth 2.0, not yet implemented in JOSM core */
     257            "Bearer some_random_token"
     258        })
     259    void testRedirectsToDifferentSite(String authorization) throws IOException {
     260        final String localhost = "localhost";
     261        final String localhostIp = "127.0.0.1";
     262        final String otherServer = this.localServer.baseUrl().contains(localhost) ? localhostIp : localhost;
     263        final UUID redirect = this.localServer.stubFor(get(urlEqualTo("/redirect/other-site"))
     264                .willReturn(aResponse().withStatus(302).withHeader(
     265                        "Location", localServer.url("/same-site/other-site")))).getId();
     266        final UUID sameSite = this.localServer.stubFor(get(urlEqualTo("/same-site/other-site"))
     267                .willReturn(aResponse().withStatus(302).withHeader(
     268                        "Location", localServer.url("/other-site")
     269                                .replace(otherServer == localhost ? localhostIp : localhost, otherServer)))).getId();
     270        final UUID otherSite = this.localServer.stubFor(get(urlEqualTo("/other-site"))
     271                .willReturn(aResponse().withStatus(200).withBody("other-site-here"))).getId();
     272        final HttpClient client = HttpClient.create(url("/redirect/other-site"));
     273        client.setHeader("Authorization", authorization);
     274        try {
     275            client.connect();
     276            this.localServer.getServeEvents();
     277            final ServeEvent first = this.localServer.getServeEvents(ServeEventQuery.forStubMapping(redirect)).getRequests().get(0);
     278            final ServeEvent second = this.localServer.getServeEvents(ServeEventQuery.forStubMapping(sameSite)).getRequests().get(0);
     279            final ServeEvent third = this.localServer.getServeEvents(ServeEventQuery.forStubMapping(otherSite)).getRequests().get(0);
     280            assertAll(() -> assertEquals(3, this.localServer.getServeEvents().getRequests().size()),
     281                    () -> assertEquals(authorization, first.getRequest().getHeader("Authorization"),
     282                    "Authorization is expected for the first request: " + first.getRequest().getUrl()),
     283                    () -> assertEquals(authorization, second.getRequest().getHeader("Authorization"),
     284                            "Authorization is expected for the second request: " + second.getRequest().getUrl()),
     285                    () -> assertFalse(third.getRequest().containsHeader("Authorization"),
     286                    "Authorization is not expected for the third request: " + third.getRequest().getUrl()));
     287        } finally {
     288            client.disconnect();
     289        }
     290    }
     291
    238292    /**
    239293     * Test HTTP error 418
    240294     * @throws IOException if an I/O error occurs