GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Move SAML Post inline javascript to script tag 

To avoid relying on HTML event handlers and adding unsafe-* rules to CSP, the javascript is moved to a <script> tag. This also allows a better browser compatibility

Closes gh-11676
pull/11719/head
Marcus Da Coregio 3 years ago committed by Josh Cummings
parent
9f6d9c2b84
commit
00302c80ad
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
6 changed files with 13 additions and 10 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilter.java
  2. 3
      saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutRequestFilter.java
  3. 3
      saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2RelyingPartyInitiatedLogoutSuccessHandler.java
  4. 4
      saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilterTests.java
  5. 4
      saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutRequestFilterTests.java
  6. 4
      saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2RelyingPartyInitiatedLogoutSuccessHandlerTests.java

5
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilter.java
Unescape View File

@ -147,10 +147,10 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter @@ -147,10 +147,10 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter
html.append("<!DOCTYPE html>\n");
html.append("<html>\n").append(" <head>\n");
html.append(" <meta http-equiv=\"Content-Security-Policy\" ")
.append("content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">\n");
.append("content=\"script-src 'sha256-t+jmhLjs1ocvgaHBJsFcgznRk68d37TLtbI3NE9h7EU='\">\n");
html.append(" <meta charset=\"utf-8\" />\n");
html.append(" </head>\n");
html.append(" <body onload=\"document.forms[0].submit()\">\n");
html.append(" <body>\n");
html.append(" <noscript>\n");
html.append(" <p>\n");
html.append(" <strong>Note:</strong> Since your browser does not support JavaScript,\n");
@ -179,6 +179,7 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter @@ -179,6 +179,7 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter
html.append(" </form>\n");
html.append(" \n");
html.append(" </body>\n");
html.append(" <script>window.onload = () => document.forms[0].submit();</script>\n");
html.append("</html>");
return html.toString();
}

3
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutRequestFilter.java
Unescape View File

@ -200,7 +200,7 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter { @@ -200,7 +200,7 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
html.append("<!DOCTYPE html>\n");
html.append("<html>\n").append(" <head>\n");
html.append(" <meta http-equiv=\"Content-Security-Policy\" ")
.append("content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">\n");
.append("content=\"script-src 'sha256-t+jmhLjs1ocvgaHBJsFcgznRk68d37TLtbI3NE9h7EU='\">\n");
html.append(" <meta charset=\"utf-8\" />\n");
html.append(" </head>\n");
html.append(" <body onload=\"document.forms[0].submit()\">\n");
@ -232,6 +232,7 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter { @@ -232,6 +232,7 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
html.append(" </form>\n");
html.append(" \n");
html.append(" </body>\n");
html.append(" <script>window.onload = () => document.forms[0].submit();</script>\n");
html.append("</html>");
return html.toString();
}

3
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2RelyingPartyInitiatedLogoutSuccessHandler.java
Unescape View File

@ -119,7 +119,7 @@ public final class Saml2RelyingPartyInitiatedLogoutSuccessHandler implements Log @@ -119,7 +119,7 @@ public final class Saml2RelyingPartyInitiatedLogoutSuccessHandler implements Log
html.append("<!DOCTYPE html>\n");
html.append("<html>\n").append(" <head>\n");
html.append(" <meta http-equiv=\"Content-Security-Policy\" ")
.append("content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">\n");
.append("content=\"script-src 'sha256-t+jmhLjs1ocvgaHBJsFcgznRk68d37TLtbI3NE9h7EU='\">\n");
html.append(" <meta charset=\"utf-8\" />\n");
html.append(" </head>\n");
html.append(" <body onload=\"document.forms[0].submit()\">\n");
@ -151,6 +151,7 @@ public final class Saml2RelyingPartyInitiatedLogoutSuccessHandler implements Log @@ -151,6 +151,7 @@ public final class Saml2RelyingPartyInitiatedLogoutSuccessHandler implements Log
html.append(" </form>\n");
html.append(" \n");
html.append(" </body>\n");
html.append(" <script>window.onload = () => document.forms[0].submit();</script>\n");
html.append("</html>");
return html.toString();
}

4
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilterTests.java
Unescape View File

@ -171,8 +171,8 @@ public class Saml2WebSsoAuthenticationRequestFilterTests { @@ -171,8 +171,8 @@ public class Saml2WebSsoAuthenticationRequestFilterTests {
this.filter.doFilterInternal(this.request, this.response, this.filterChain);
assertThat(this.response.getHeader("Location")).isNull();
assertThat(this.response.getContentAsString()).contains(
"<meta http-equiv=\"Content-Security-Policy\" content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">")
.contains("<body onload=\"document.forms[0].submit()\">")
"<meta http-equiv=\"Content-Security-Policy\" content=\"script-src 'sha256-t+jmhLjs1ocvgaHBJsFcgznRk68d37TLtbI3NE9h7EU='\">")
.contains("<script>window.onload = () => document.forms[0].submit();</script>")
.contains("<form action=\"https://sso-url.example.com/IDP/SSO\" method=\"post\">")
.contains("<input type=\"hidden\" name=\"SAMLRequest\"")
.contains("value=\"" + relayStateEncoded + "\"");

4
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutRequestFilterTests.java
Unescape View File

@ -112,8 +112,8 @@ public class Saml2LogoutRequestFilterTests { @@ -112,8 +112,8 @@ public class Saml2LogoutRequestFilterTests {
assertThat(content).contains(Saml2ParameterNames.SAML_RESPONSE);
assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation());
assertThat(content).contains(
"<meta http-equiv=\"Content-Security-Policy\" content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">");
assertThat(content).contains("<body onload=\"document.forms[0].submit()\">");
"<meta http-equiv=\"Content-Security-Policy\" content=\"script-src 'sha256-t+jmhLjs1ocvgaHBJsFcgznRk68d37TLtbI3NE9h7EU='\">");
assertThat(content).contains("<script>window.onload = () => document.forms[0].submit();</script>");
}
@Test

4
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2RelyingPartyInitiatedLogoutSuccessHandlerTests.java
Unescape View File

@ -98,8 +98,8 @@ public class Saml2RelyingPartyInitiatedLogoutSuccessHandlerTests { @@ -98,8 +98,8 @@ public class Saml2RelyingPartyInitiatedLogoutSuccessHandlerTests {
assertThat(content).contains(Saml2ParameterNames.SAML_REQUEST);
assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceLocation());
assertThat(content).contains(
"<meta http-equiv=\"Content-Security-Policy\" content=\"script-src 'sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='\">");
assertThat(content).contains("<body onload=\"document.forms[0].submit()\">");
"<meta http-equiv=\"Content-Security-Policy\" content=\"script-src 'sha256-t+jmhLjs1ocvgaHBJsFcgznRk68d37TLtbI3NE9h7EU='\">");
assertThat(content).contains("<script>window.onload = () => document.forms[0].submit();</script>");
}
private Saml2Authentication authentication(RelyingPartyRegistration registration) {

Write Preview
Loading…
Cancel
Save