Browse Source
SONAR-18393 Return 400 Bad Request in case request contains unsupported char
tags/10.0.0.68432
Aurelien Poscia
1 year ago
2 changed files with 14 additions and 0 deletions
+ 5
- 0
server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
View File
| @@ -64,6 +64,11 @@ public class SecurityServletFilter implements Filter { | |||
| * Adds security HTTP headers in the response. The headers are added using {@code setHeader()}, which overwrites existing headers. | |||
| */ | |||
| public static void addSecurityHeaders(HttpServletRequest httpRequest, HttpServletResponse httpResponse) { | |||
| if (httpRequest.getRequestURI() == null) { | |||
| httpResponse.setStatus(HttpServletResponse.SC_BAD_REQUEST); | |||
| return; | |||
| } | |||
| // Clickjacking protection | |||
| // See https://www.owasp.org/index.php/Clickjacking_Protection_for_Java_EE | |||
| // The protection is disabled on purpose for integration in external systems like Github (/integration/github). | |||
+ 9
- 0
server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
View File
| @@ -40,6 +40,15 @@ public class SecurityServletFilterTest { | |||
| private HttpServletResponse response = mock(HttpServletResponse.class); | |||
| private FilterChain chain = mock(FilterChain.class); | |||
| @Test | |||
| public void ifRequestUriIsNull_returnBadRequest() throws ServletException, IOException { | |||
| HttpServletRequest request = newRequest("GET", "/"); | |||
| when(request.getRequestURI()).thenReturn(null); | |||
| underTest.doFilter(request, response, chain); | |||
| verify(response).setStatus(HttpServletResponse.SC_BAD_REQUEST); | |||
| } | |||
| @Test | |||
| public void allow_GET_method() throws IOException, ServletException { | |||
| assertThatMethodIsAllowed("GET"); | |||
Loading…