SONAR-18393 Return 400 Bad Request in case request contains unsupported char

author Aurelien Poscia <aurelien.poscia@sonarsource.com>

Thu, 30 Mar 2023 13:27:00 +0000 (15:27 +0200)

committer sonartech <sonartech@sonarsource.com>

Thu, 30 Mar 2023 20:03:07 +0000 (20:03 +0000)
author Aurelien Poscia <aurelien.poscia@sonarsource.com>
Thu, 30 Mar 2023 13:27:00 +0000 (15:27 +0200)
committer sonartech <sonartech@sonarsource.com>
Thu, 30 Mar 2023 20:03:07 +0000 (20:03 +0000)
diff --git a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java

index 83522dc7c142f60df2bd9c0b738bfc6cf07bbd3c..cf90d58805c886f5ffd70c98f122a0f8e5b6efcc 100644 (file)
--- a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
+++ b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
@@ -64,6 +64,11 @@ public class SecurityServletFilter implements Filter {
     * Adds security HTTP headers in the response. The headers are added using {@code setHeader()}, which overwrites existing headers.
     */
    public static void addSecurityHeaders(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
+    if (httpRequest.getRequestURI() == null) {
+      httpResponse.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+      return;
+    }
+
      // Clickjacking protection
      // See https://www.owasp.org/index.php/Clickjacking_Protection_for_Java_EE
      // The protection is disabled on purpose for integration in external systems like Github (/integration/github).
diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java

index 4e3f7311d2ae3b92adbcd7a55b21e4419d3c1278..bc4d8ed5f9785cf996fe62ec22073742b0f0e113 100644 (file)
--- a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
+++ b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
@@ -40,6 +40,15 @@ public class SecurityServletFilterTest {
    private HttpServletResponse response = mock(HttpServletResponse.class);
    private FilterChain chain = mock(FilterChain.class);
  
+  @Test
+  public void ifRequestUriIsNull_returnBadRequest() throws ServletException, IOException {
+    HttpServletRequest request = newRequest("GET", "/");
+    when(request.getRequestURI()).thenReturn(null);
+
+    underTest.doFilter(request, response, chain);
+    verify(response).setStatus(HttpServletResponse.SC_BAD_REQUEST);
+  }
+
    @Test
    public void allow_GET_method() throws IOException, ServletException {
      assertThatMethodIsAllowed("GET");
author	Aurelien Poscia <aurelien.poscia@sonarsource.com>
	Thu, 30 Mar 2023 13:27:00 +0000 (15:27 +0200)
committer	sonartech <sonartech@sonarsource.com>
	Thu, 30 Mar 2023 20:03:07 +0000 (20:03 +0000)
server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java		patch \| blob \| history
server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java		patch \| blob \| history