Skip to content

KNOX-3103 - Move RegEx Tests from KnoxSSO module to RegExUtils #998

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Feb 27, 2025
Merged

KNOX-3103 - Move RegEx Tests from KnoxSSO module to RegExUtils #998

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
6463797
KNOX-3100 - RemoteAuthProvider to accept multiple group headers
lmccay Feb 26, 2025
17652b2
KNOX-3100 - fix checkstyle issue
lmccay Feb 26, 2025
79aa90b
KNOX-3103 - Move RegExUtils testing to an appropriate suite in the th…
lmccay Feb 27, 2025
42c460b
KNOX-3103 - add the apache license to the new test class
lmccay Feb 27, 2025
52180ec
KNOX-3103 - checkstyle corrections
lmccay Feb 27, 2025
83326f8
Merge branch 'master' into KNOX-3103
lmccay Feb 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 0 additions & 82 deletions ...ice-knoxsso/src/test/java/org/apache/knox/gateway/service/knoxsso/WebSSOResourceTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@

import java.lang.reflect.Field;
import java.net.HttpCookie;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
Expand Down Expand Up @@ -67,7 +66,6 @@
import org.apache.knox.gateway.services.security.token.impl.JWT;
import org.apache.knox.gateway.services.security.token.impl.JWTToken;
import org.apache.knox.gateway.session.control.ConcurrentSessionVerifier;
import org.apache.knox.gateway.util.RegExUtils;
import org.easymock.EasyMock;
import org.junit.Assert;
import org.junit.BeforeClass;
Expand Down Expand Up @@ -107,86 +105,6 @@ public static void setUpBeforeClass() throws Exception {
gatewayPrivateKey = (RSAPrivateKey) keyPair.getPrivate();
}

@Test
public void testWhitelistMatching() {
String whitelist = "^https?://.*example.com:8080/.*$;" +
"^https?://.*example.com/.*$;" +
"^https?://.*example2.com:\\d{0,9}/.*$;" +
"^https://.*example3.com:\\d{0,9}/.*$;" +
"^https?://localhost:\\d{0,9}/.*$;^/.*$";

// match on explicit hostname/domain and port
Assert.assertTrue("Failed to match whitelist", RegExUtils.checkWhitelist(whitelist,
"http://host.example.com:8080/"));
// match on non-required port
Assert.assertTrue("Failed to match whitelist", RegExUtils.checkWhitelist(whitelist,
"http://host.example.com/"));
// match on required but any port
Assert.assertTrue("Failed to match whitelist", RegExUtils.checkWhitelist(whitelist,
"http://host.example2.com:1234/"));
// fail on missing port
assertFalse("Matched whitelist inappropriately", RegExUtils.checkWhitelist(whitelist,
"http://host.example2.com/"));
// fail on invalid port
assertFalse("Matched whitelist inappropriately", RegExUtils.checkWhitelist(whitelist,
"http://host.example.com:8081/"));
// fail on alphanumeric port
assertFalse("Matched whitelist inappropriately", RegExUtils.checkWhitelist(whitelist,
"http://host.example.com:A080/"));
// fail on invalid hostname/domain
assertFalse("Matched whitelist inappropriately", RegExUtils.checkWhitelist(whitelist,
"http://host.example.net:8080/"));
// fail on required port
assertFalse("Matched whitelist inappropriately", RegExUtils.checkWhitelist(whitelist,
"http://host.example2.com/"));
// fail on required https
assertFalse("Matched whitelist inappropriately", RegExUtils.checkWhitelist(whitelist,
"http://host.example3.com/"));
// match on localhost and port
Assert.assertTrue("Failed to match whitelist", RegExUtils.checkWhitelist(whitelist,
"http://localhost:8080/"));
// match on local/relative path
Assert.assertTrue("Failed to match whitelist", RegExUtils.checkWhitelist(whitelist,
"/local/resource/"));
}

@Test
public void testWhitelistMatchingAgainstBaseURL() throws MalformedURLException {
Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
"https://KNOX_GW_DOMAIN"));
Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
"https://KNOX_GW_DOMAIN?a=1&b=2"));
Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
"https://KNOX_GW_DOMAIN?a=1&b=2"));
Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
"https://KNOX_GW_DOMAIN/path1/path2/path/3?a=1&b=2"));
Assert.assertFalse("Inappropriately matched whitelist",
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
"https://google.com?https://KNOX_GW_DOMAIN"));
Assert.assertFalse("Inappropriately matched whitelist",
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
"https://google.com/https://KNOX_GW_DOMAIN"));
}

@Test
public void testMaliciousOriginalUrl() throws Exception {
String whitelist = "^(?!.*([<>\"'`{}|\\\\^]|<script|%3cscript|javascript:|data:|alert\\(|onclick=))(^https?://.*example.com/.*)$";

// make sure it is malicious and therefore does NOT match
assertFalse(RegExUtils.checkWhitelist(whitelist, "https://example.com/path?param=%3e%3cscript%3e"));
// make sure it matches because it is not malicious
assertTrue(RegExUtils.checkWhitelist(whitelist, "https://example.com/path"));
}

@Test(expected = MalformedURLException.class)
public void testMalformedOriginalUrl() throws MalformedURLException {
RegExUtils.checkBaseUrlAgainstWhitelist(".*", "https://localhost:5003gateway/homepage/home/");
}

private void configureCommonExpectations(Map<String, String> contextExpectations) throws Exception {
configureCommonExpectations(contextExpectations, false, false, true);
}
Expand Down
106 changes: 106 additions & 0 deletions gateway-util-common/src/test/java/org/apache/knox/gateway/util/RegExUtilsTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.knox.gateway.util;

import org.junit.Assert;
import org.junit.Test;

import java.net.MalformedURLException;

import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;

public class RegExUtilsTest {

@Test
public void testWhitelistMatching() {
String whitelist = "^https?://.*example.com:8080/.*$;" +
"^https?://.*example.com/.*$;" +
"^https?://.*example2.com:\\d{0,9}/.*$;" +
"^https://.*example3.com:\\d{0,9}/.*$;" +
"^https?://localhost:\\d{0,9}/.*$;^/.*$";

// match on explicit hostname/domain and port
Assert.assertTrue("Failed to match whitelist", RegExUtils.checkWhitelist(whitelist,
"http://host.example.com:8080/"));
// match on non-required port
Assert.assertTrue("Failed to match whitelist", RegExUtils.checkWhitelist(whitelist,
"http://host.example.com/"));
// match on required but any port
Assert.assertTrue("Failed to match whitelist", RegExUtils.checkWhitelist(whitelist,
"http://host.example2.com:1234/"));
// fail on missing port
assertFalse("Matched whitelist inappropriately", RegExUtils.checkWhitelist(whitelist,
"http://host.example2.com/"));
// fail on invalid port
assertFalse("Matched whitelist inappropriately", RegExUtils.checkWhitelist(whitelist,
"http://host.example.com:8081/"));
// fail on alphanumeric port
assertFalse("Matched whitelist inappropriately", RegExUtils.checkWhitelist(whitelist,
"http://host.example.com:A080/"));
// fail on invalid hostname/domain
assertFalse("Matched whitelist inappropriately", RegExUtils.checkWhitelist(whitelist,
"http://host.example.net:8080/"));
// fail on required port
assertFalse("Matched whitelist inappropriately", RegExUtils.checkWhitelist(whitelist,
"http://host.example2.com/"));
// fail on required https
assertFalse("Matched whitelist inappropriately", RegExUtils.checkWhitelist(whitelist,
"http://host.example3.com/"));
// match on localhost and port
Assert.assertTrue("Failed to match whitelist", RegExUtils.checkWhitelist(whitelist,
"http://localhost:8080/"));
// match on local/relative path
Assert.assertTrue("Failed to match whitelist", RegExUtils.checkWhitelist(whitelist,
"/local/resource/"));
}

@Test
public void testWhitelistMatchingAgainstBaseURL() throws MalformedURLException {
Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
"https://KNOX_GW_DOMAIN"));
Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
"https://KNOX_GW_DOMAIN?a=1&b=2"));
Assert.assertTrue("Failed to match whitelist",
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
"https://KNOX_GW_DOMAIN/path1/path2/path/3?a=1&b=2"));
Assert.assertFalse("Inappropriately matched whitelist",
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
"https://google.com?https://KNOX_GW_DOMAIN"));
Assert.assertFalse("Inappropriately matched whitelist",
RegExUtils.checkBaseUrlAgainstWhitelist("^https?:\\/\\/(.*KNOX_GW_DOMAIN)(?::[0-9]+)?(?:\\/.*)?$",
"https://google.com/https://KNOX_GW_DOMAIN"));
}

@Test
public void testMaliciousOriginalUrl() throws Exception {
String whitelist = "^(?!.*([<>\"'`{}|\\\\^]|<script|%3cscript|javascript:|data:|alert\\(|onclick=))(^https?://.*example.com/.*)$";

// make sure it is malicious and therefore does NOT match
assertFalse(RegExUtils.checkWhitelist(whitelist, "https://example.com/path?param=%3e%3cscript%3e"));
// make sure it matches because it is not malicious
assertTrue(RegExUtils.checkWhitelist(whitelist, "https://example.com/path"));
}

@Test(expected = MalformedURLException.class)
public void testMalformedOriginalUrl() throws MalformedURLException {
RegExUtils.checkBaseUrlAgainstWhitelist(".*", "https://localhost:5003gateway/homepage/home/");
}
}