View Javadoc
1   /*
2    * Copyright (c) 2002-2025, City of Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.util.http;
35  
36  import org.junit.Test;
37  import org.springframework.mock.web.MockHttpServletRequest;
38  
39  import fr.paris.lutece.test.LuteceTestCase;
40  
41  /**
42   *
43   */
44  public class SecurityUtilTest extends LuteceTestCase
45  {
46      /**
47       * Test of containsCleanParameters method, of class SecurityUtil.
48       */
49      @Test
50      public void testContainsCleanParameters( )
51      {
52          System.out.println( "containsCleanParameters" );
53  
54          MockHttpServletRequest request = new MockHttpServletRequest( );
55          request.setParameter( "param1", "AZ" );
56          request.setParameter( "param2", "09" );
57          request.setParameter( "param3", "az" );
58          request.setParameter( "param4", "/" );
59  
60          assertTrue( SecurityUtil.containsCleanParameters( request ) );
61  
62          request.setParameter( "param4", "%" );
63          assertTrue( SecurityUtil.containsCleanParameters( request ) );
64          request.setParameter( "param4", ">" );
65          assertFalse( SecurityUtil.containsCleanParameters( request ) );
66          request.setParameter( "param4", "<" );
67          assertFalse( SecurityUtil.containsCleanParameters( request ) );
68          request.setParameter( "param4", "#" );
69          assertFalse( SecurityUtil.containsCleanParameters( request ) );
70          request.setParameter( "param4", "\"" );
71          assertFalse( SecurityUtil.containsCleanParameters( request ) );
72          request.setParameter( "param4", ";" );
73          assertTrue( SecurityUtil.containsCleanParameters( request ) );
74          request.setParameter( "param4", "&" );
75          assertTrue( SecurityUtil.containsCleanParameters( request ) );
76          request.setParameter( "param4", "[" );
77          assertTrue( SecurityUtil.containsCleanParameters( request ) );
78          request.setParameter( "param4", "]" );
79          assertTrue( SecurityUtil.containsCleanParameters( request ) );
80          request.setParameter( "param4", ";" );
81          assertTrue( SecurityUtil.containsCleanParameters( request ) );
82          request.setParameter( "param4", "{" );
83          assertTrue( SecurityUtil.containsCleanParameters( request ) );
84          request.setParameter( "param4", "}" );
85          assertTrue( SecurityUtil.containsCleanParameters( request ) );
86      }
87  
88      /**
89       * Test of isRedirectUrlSafe method, of class SecurityUtil, to avoid open redirect
90       */
91      @Test
92      public void testIsRedirectUrlSafe( )
93      {
94          System.out.println( "isRedirectUrlSafe" );
95  
96          MockHttpServletRequest request = new MockHttpServletRequest( );
97  
98          // Assert False
99          String strUrl = "http://anothersite.com";
100         request.setParameter( "url", strUrl );
101         assertFalse( SecurityUtil.isInternalRedirectUrlSafe( strUrl, request ) );
102 
103         strUrl = "//anothersite.com";
104         request.setParameter( "url", strUrl );
105         assertFalse( SecurityUtil.isInternalRedirectUrlSafe( strUrl, request ) );
106 
107         strUrl = "file://my.txt";
108         request.setParameter( "url", strUrl );
109         assertFalse( SecurityUtil.isInternalRedirectUrlSafe( strUrl, request ) );
110 
111         strUrl = "javascript:alert('hello');";
112         request.setParameter( "url", strUrl );
113         assertFalse( SecurityUtil.isInternalRedirectUrlSafe( strUrl, request ) );
114 
115         strUrl = "opera-http://anothersite.com";
116         request.setParameter( "url", strUrl );
117         assertFalse( SecurityUtil.isInternalRedirectUrlSafe( strUrl, request ) );
118         
119         strUrl = "/\\\\redirect.ywh.at";
120         request.setParameter( "url", strUrl );
121         assertFalse( SecurityUtil.isInternalRedirectUrlSafe( strUrl, request ) );
122 
123         strUrl = "http://another.subdomain.mylutece.com";
124         request.setParameter( "url", strUrl );
125         String strUrlPatterns = "http://**.lutece.com,https://**.lutece.com";
126         assertFalse( SecurityUtil.isInternalRedirectUrlSafe( strUrl, request, strUrlPatterns ) );
127         
128         
129         // Assert True
130         strUrl = null;
131         assertTrue( SecurityUtil.isInternalRedirectUrlSafe( strUrl, request ) );
132 
133         strUrl = "";
134         assertTrue( SecurityUtil.isInternalRedirectUrlSafe( strUrl, request ) );
135 
136         strUrl = "/jsp/site/Portal.jsp";
137         request.setParameter( "url", strUrl );
138         assertTrue( SecurityUtil.isInternalRedirectUrlSafe( strUrl, request ) );
139 
140         strUrl = "Another.jsp";
141         request.setParameter( "url", strUrl );
142         assertTrue( SecurityUtil.isInternalRedirectUrlSafe( strUrl, request ) );
143 
144         strUrl = "http://localhost/myapp/jsp/site/Portal.jsp";
145         request.setParameter( "url", strUrl );
146         assertTrue( SecurityUtil.isInternalRedirectUrlSafe( strUrl, request ) );
147 
148         strUrl = "http://another.subdomain.lutece.com";
149         request.setParameter( "url", strUrl );
150         strUrlPatterns = "http://**.lutece.com/**,https://**.lutece.com/**";
151         assertTrue( SecurityUtil.isInternalRedirectUrlSafe( strUrl, request, strUrlPatterns ) );
152 
153     }
154 }