Skip to content

Add methods to augment allowed headers and parameters in StrictHttpFi…#15048

Merged
jzheaux merged 1 commit intospring-projects:mainfrom
baezzys:enhance/strict-http-firewall-flexibility
Jul 19, 2024
Merged

Add methods to augment allowed headers and parameters in StrictHttpFi…#15048
jzheaux merged 1 commit intospring-projects:mainfrom
baezzys:enhance/strict-http-firewall-flexibility

Conversation

@baezzys
Copy link
Copy Markdown
Contributor

@baezzys baezzys commented May 12, 2024
edited by jzheaux
Loading

This pull request introduces new constants in the StrictHttpFirewall class that allow for the augmentation of the sets of allowable header names, header values, parameter names, and parameter values.

This closes #13639

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 12, 2024
jzheaux
jzheaux requested changes May 21, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @baezzys! There is an issue with having both set and add that I didn't see earlier, which is that it assumes that the application wants to do Predicate#and and not Predicate#or. It doesn't give the developer much more power.

Also, I think that addAllowHeaderValues makes it seem like you are listing additional ways that headers would be allowed, which is the opposite of the implementation.

Instead, please let's introduce public static defaults for each, like so:

public static final Predicate<String> ALLOWED_HEADER_NAMES = ...;

public static final Predicate<String> ALLOWED_HEADER_VALUES = ...;

public static final Predicate<String> ALLOWED_PARAMETER_NAMES = ...;

public static final Predicate<String> ALLOWED_PARAMETER_VALUES = ...;

So that an application can do:

firewall.setAllowedHeaderValues(ALLOWED_HEADER_VALUES.and((value) -> !value.contains("\t")))

@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels May 21, 2024
@baezzys
Copy link
Copy Markdown
Contributor Author

baezzys commented May 26, 2024

Thank you for the review, @jzheaux. However, since the setters are not static, would it be acceptable to change them to public instead of public static?

@jzheaux
Copy link
Copy Markdown
Contributor

jzheaux commented May 31, 2024

I think they should be static so that you don't need an instance of the firewall to refer to them.

@baezzys
Copy link
Copy Markdown
Contributor Author

baezzys commented Jun 1, 2024

Thank you for the feedback, @jzheaux

I have updated the StrictHttpFirewall class to change the private Predicates for allowed header names, header values, parameter names, and parameter values to public static. Additionally, I have changed the corresponding setters.

Please review the changes and let me know if any further adjustments are needed.

jzheaux
jzheaux requested changes Jun 5, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @baezzys! I've left some feedback inline.

Comment thread web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
Comment thread web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java Outdated
Comment thread web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
Comment thread web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java Outdated
Comment thread web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
Comment thread web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java Outdated
Comment thread web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java Outdated
Comment thread web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java Outdated
Comment thread web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java Outdated
Comment thread web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java Outdated
@baezzys
Copy link
Copy Markdown
Contributor Author

baezzys commented Jul 10, 2024

Hi @jzheaux, Sorry for the late response. I've made the changes based on your feedback. PTAL. Thanks!

@baezzys @jzheaux
Publish Constants for Firewall Header and Parameter Predicates
a393e13 
Introduced public static final Predicates for allowed header names,
header values, parameter names, and parameter values for building
expressions.

Closes gh-13639
@jzheaux jzheaux self-assigned this Jul 18, 2024
@jzheaux jzheaux added this to the 6.4.0-M2 milestone Jul 18, 2024
@jzheaux jzheaux merged commit 4169c0c into spring-projects:main Jul 19, 2024
@jzheaux
Copy link
Copy Markdown
Contributor

jzheaux commented Jul 19, 2024

Thank you, @baezzys, for the PR! This is now merged into main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jzheaux jzheaux jzheaux approved these changes

Assignees

@jzheaux jzheaux

Labels

in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement

Projects

None yet

Milestone

6.4.0-M2

Development

Successfully merging this pull request may close these issues.

StrictHttpFirewall#setAllowedHeaderNames should augment with existing Predicate

3 participants

@baezzys @jzheaux @spring-projects-issues