SEC-2498: RequestCache allows POST when CSRF is disabled

12 years ago · a11746a8d1
2 changed files with 60 additions and 2 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurer.java
@ -15,7 +15,9 @@
				@@ -15,7 +15,9 @@
 */
 package org.springframework.security.config.annotation.web.configurers;

+import java.util.ArrayList;
 import java.util.Collections;
+import java.util.List;

 import org.springframework.http.MediaType;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
@ -114,12 +116,13 @@ public final class RequestCacheConfigurer<H extends HttpSecurityBuilder<H>> exte
				@@ -114,12 +116,13 @@ public final class RequestCacheConfigurer<H extends HttpSecurityBuilder<H>> exte
        return defaultCache;
    }

+    @SuppressWarnings("unchecked")
    private RequestMatcher createDefaultSavedRequestMatcher(H http) {
        ContentNegotiationStrategy contentNegotiationStrategy = http.getSharedObject(ContentNegotiationStrategy.class);
        if(contentNegotiationStrategy == null) {
            contentNegotiationStrategy = new HeaderContentNegotiationStrategy();
        }
-        RequestMatcher getRequests = new AntPathRequestMatcher("/**", "GET");
+
        RequestMatcher notFavIcon = new NegatedRequestMatcher(new AntPathRequestMatcher("/**/favicon.ico"));

        MediaTypeRequestMatcher jsonRequest = new MediaTypeRequestMatcher(contentNegotiationStrategy, MediaType.APPLICATION_JSON);
@ -127,6 +130,18 @@ public final class RequestCacheConfigurer<H extends HttpSecurityBuilder<H>> exte
				@@ -127,6 +130,18 @@ public final class RequestCacheConfigurer<H extends HttpSecurityBuilder<H>> exte
        RequestMatcher notJson = new NegatedRequestMatcher(jsonRequest);

        RequestMatcher notXRequestedWith = new NegatedRequestMatcher(new RequestHeaderRequestMatcher("X-Requested-With","XMLHttpRequest"));
-        return new AndRequestMatcher(getRequests, notFavIcon, notJson, notXRequestedWith);
+
+        boolean isCsrfEnabled = http.getConfigurer(CsrfConfigurer.class) != null;
+
+        List<RequestMatcher> matchers = new ArrayList<RequestMatcher>();
+        if(isCsrfEnabled) {
+            RequestMatcher getRequests = new AntPathRequestMatcher("/**", "GET");
+            matchers.add(0, getRequests);
+        }
+        matchers.add(notFavIcon);
+        matchers.add(notJson);
+        matchers.add(notXRequestedWith);
+
+        return new AndRequestMatcher(matchers);
    }
 }
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy
@ -102,6 +102,49 @@ class CsrfConfigurerTests extends BaseSpringSpec {
				@@ -102,6 +102,49 @@ class CsrfConfigurerTests extends BaseSpringSpec {
        }
    }

+    def "SEC-2498: Disable CSRF enables RequestCache for any method"() {
+        setup:
+            loadConfig(DisableCsrfEnablesRequestCacheConfig)
+            request.requestURI = '/tosave'
+            request.method = "POST"
+            clearCsrfToken()
+        when:
+            springSecurityFilterChain.doFilter(request,response,chain)
+        then:
+            response.redirectedUrl
+        when:
+            super.setupWeb(request.session)
+            request.method = "POST"
+            request.servletPath = '/login'
+            request.parameters['username'] = ['user'] as String[]
+            request.parameters['password'] = ['password'] as String[]
+            springSecurityFilterChain.doFilter(request,response,chain)
+        then:
+            response.redirectedUrl == 'http://localhost/tosave'
+    }
+
+    @Configuration
+    @EnableWebSecurity
+    static class DisableCsrfEnablesRequestCacheConfig extends WebSecurityConfigurerAdapter {
+
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
+            http
+                .authorizeRequests()
+                    .anyRequest().authenticated()
+                    .and()
+                .formLogin().and()
+                .csrf().disable()
+
+        }
+        @Override
+        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+            auth
+                .inMemoryAuthentication()
+                    .withUser("user").password("password").roles("USER")
+        }
+    }
+
    def "SEC-2422: csrf expire CSRF token and session-management invalid-session-url"() {
        setup:
            loadConfig(InvalidSessionUrlConfig)