From 88f6b85a3a2e5723cd2ccde8fedd0962bf3a4c26 Mon Sep 17 00:00:00 2001 From: ztaylor54 Date: Fri, 5 Mar 2021 13:20:20 -0800 Subject: [PATCH] Sanitize login redirect targets to only allow relative paths and query parameters --- .../java/jpl/cws/controller/MvcService.java | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/cws-service/src/main/java/jpl/cws/controller/MvcService.java b/cws-service/src/main/java/jpl/cws/controller/MvcService.java index b8912455..fd7208ed 100644 --- a/cws-service/src/main/java/jpl/cws/controller/MvcService.java +++ b/cws-service/src/main/java/jpl/cws/controller/MvcService.java @@ -7,6 +7,8 @@ import java.util.List; import java.util.Map; import java.util.Map.Entry; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -99,9 +101,33 @@ public ModelAndView logintotarget( .singleResult(); log.debug("user: " + user); + String pattern = // first part: some/relative/path + "^" // Anchor at the beginning of the string + + "(?!\\/)" // Assert the first character isn't a '/' (negative lookahead) + + "(?!.*\\/\\/)" // Assert there are no "//" present anywhere (negative lookahead) + + "[A-Za-z0-9-\\/]+" // Match one or more allowed characters + + "(?