Skip to content

S
spring-framework

爱吃血肠 / spring-framework

通知 1
Star 0
Fork 0
S
spring-framework

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
WebUtilsTests.java 8.7 KB
Newer Older
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
1 
/*
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
2 
 * Copyright 2002-2015 the original author or authors.
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.web.util;
R
Add support for matrix variables  
Rossen Stoyanchev 已提交
19 
import java.util.Arrays;
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
20 
import java.util.Collections;
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
21 
import java.util.HashMap;
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
22 
import java.util.List;
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
23 24 
import java.util.Map;
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
25 
import org.junit.Test;
J
Consistent formatting of license headers, package javadocs, and import declarations  
Juergen Hoeller 已提交
26
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
27 28 29 30 
import org.springframework.http.HttpHeaders;
import org.springframework.http.server.ServerHttpRequest;
import org.springframework.http.server.ServletServerHttpRequest;
import org.springframework.mock.web.test.MockHttpServletRequest;
R
Add support for matrix variables  
Rossen Stoyanchev 已提交
31 
import org.springframework.util.MultiValueMap;
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
32
J
Consistent formatting of license headers, package javadocs, and import declarations  
Juergen Hoeller 已提交
33 34 
import static org.junit.Assert.*;
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
35 36 
/**
 * @author Juergen Hoeller
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
37 
 * @author Arjen Poutsma
R
Add support for matrix variables  
Rossen Stoyanchev 已提交
38 
 * @author Rossen Stoyanchev
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
39 
 * @author Sebastien Deleuze
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
40 
 */
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
41 
public class WebUtilsTests {
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
42
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
43 44 
	@Test
	public void findParameterValue() {
J
Java 5 code style  
Juergen Hoeller 已提交
45 
		Map<String, Object> params = new HashMap<String, Object>();
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
46 47 48 
		params.put("myKey1", "myValue1");
		params.put("myKey2_myValue2", "xxx");
		params.put("myKey3_myValue3.x", "xxx");
J
Java 5 code style  
Juergen Hoeller 已提交
49 
		params.put("myKey4_myValue4.y", new String[] {"yyy"});
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
50 51 52 53 54 55 56 57 

		assertNull(WebUtils.findParameterValue(params, "myKey0"));
		assertEquals("myValue1", WebUtils.findParameterValue(params, "myKey1"));
		assertEquals("myValue2", WebUtils.findParameterValue(params, "myKey2"));
		assertEquals("myValue3", WebUtils.findParameterValue(params, "myKey3"));
		assertEquals("myValue4", WebUtils.findParameterValue(params, "myKey4"));
	}
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
58 59 
	@Test
	public void extractFilenameFromUrlPath() {
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
60 61 62 63 64 65 66 67 
		assertEquals("index", WebUtils.extractFilenameFromUrlPath("index.html"));
		assertEquals("index", WebUtils.extractFilenameFromUrlPath("/index.html"));
		assertEquals("view", WebUtils.extractFilenameFromUrlPath("/products/view.html"));
		assertEquals("view", WebUtils.extractFilenameFromUrlPath("/products/view.html?param=a"));
		assertEquals("view", WebUtils.extractFilenameFromUrlPath("/products/view.html?param=/path/a"));
		assertEquals("view", WebUtils.extractFilenameFromUrlPath("/products/view.html?param=/path/a.do"));
	}
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
68 69 70 71 72 
	@Test
	public void extractFullFilenameFromUrlPath() {
		assertEquals("index.html", WebUtils.extractFullFilenameFromUrlPath("index.html"));
		assertEquals("index.html", WebUtils.extractFullFilenameFromUrlPath("/index.html"));
		assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html"));
R
Protect against RFD exploits  
Rossen Stoyanchev 已提交
73 74 75 
		assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html#/a"));
		assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html#/path/a"));
		assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html#/path/a.do"));
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
76 77 78 
		assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html?param=a"));
		assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html?param=/path/a"));
		assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html?param=/path/a.do"));
R
Protect against RFD exploits  
Rossen Stoyanchev 已提交
79 80 81 82 83 
		assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html?param=/path/a#/path/a"));
		assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html?param=/path/a.do#/path/a.do"));
		assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products;q=11/view.html?param=/path/a.do"));
		assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products;q=11/view.html;r=22?param=/path/a.do"));
		assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products;q=11/view.html;r=22;s=33?param=/path/a.do"));
A
Added extractFullFilenameFromUrlPath to WebUtils  
Arjen Poutsma 已提交
84 85 
	}
R
Add support for matrix variables  
Rossen Stoyanchev 已提交
86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 
	@Test
	public void parseMatrixVariablesString() {
		MultiValueMap<String, String> variables;

		variables = WebUtils.parseMatrixVariables(null);
		assertEquals(0, variables.size());

		variables = WebUtils.parseMatrixVariables("year");
		assertEquals(1, variables.size());
		assertEquals("", variables.getFirst("year"));

		variables = WebUtils.parseMatrixVariables("year=2012");
		assertEquals(1, variables.size());
		assertEquals("2012", variables.getFirst("year"));

		variables = WebUtils.parseMatrixVariables("year=2012;colors=red,blue,green");
		assertEquals(2, variables.size());
		assertEquals(Arrays.asList("red", "blue", "green"), variables.get("colors"));
		assertEquals("2012", variables.getFirst("year"));

		variables = WebUtils.parseMatrixVariables(";year=2012;colors=red,blue,green;");
		assertEquals(2, variables.size());
		assertEquals(Arrays.asList("red", "blue", "green"), variables.get("colors"));
		assertEquals("2012", variables.getFirst("year"));

		variables = WebUtils.parseMatrixVariables("colors=red;colors=blue;colors=green");
		assertEquals(1, variables.size());
		assertEquals(Arrays.asList("red", "blue", "green"), variables.get("colors"));
	}
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
116 
	@Test
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
117 
	public void isValidOrigin() {
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
118 
		List<String> allowed = Collections.emptyList();
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
119 120 
		assertTrue(checkValidOrigin("mydomain1.com", -1, "http://mydomain1.com", allowed));
		assertFalse(checkValidOrigin("mydomain1.com", -1, "http://mydomain2.com", allowed));
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
121 122 

		allowed = Collections.singletonList("*");
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
123 
		assertTrue(checkValidOrigin("mydomain1.com", -1, "http://mydomain2.com", allowed));
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
124 125 

		allowed = Collections.singletonList("http://mydomain1.com");
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
126 127 
		assertTrue(checkValidOrigin("mydomain2.com", -1, "http://mydomain1.com", allowed));
		assertFalse(checkValidOrigin("mydomain2.com", -1, "http://mydomain3.com", allowed));
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
128 129 130 
	}

	@Test
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
131 132 133 134 135 136 137 138 139 140 141 142 
	public void isSameOrigin() {
		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com"));
		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80"));
		assertTrue(checkSameOrigin("mydomain1.com", 443, "https://mydomain1.com"));
		assertTrue(checkSameOrigin("mydomain1.com", 443, "https://mydomain1.com:443"));
		assertTrue(checkSameOrigin("mydomain1.com", 123, "http://mydomain1.com:123"));
		assertTrue(checkSameOrigin("mydomain1.com", -1, "ws://mydomain1.com"));
		assertTrue(checkSameOrigin("mydomain1.com", 443, "wss://mydomain1.com"));

		assertFalse(checkSameOrigin("mydomain1.com", -1, "http://mydomain2.com"));
		assertFalse(checkSameOrigin("mydomain1.com", -1, "https://mydomain1.com"));
		assertFalse(checkSameOrigin("mydomain1.com", -1, "invalid-origin"));
S
Avoid stacktrace for invalid Origin header values  
Sebastien Deleuze 已提交
143 144 145 146 147 148 149 150 151 152 

		// Handling of invalid origins as described in SPR-13478
		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/"));
		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/"));
		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/path"));
		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/path"));
		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/"));
		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/"));
		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/path"));
		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/path"));
S
Make UriComponentsBuilder.fromOriginHeader() IPv6 compliant  
Sebastien Deleuze 已提交
153 154 155 156 157 158 159 160 

		// Handling of IPv6 hosts as described in SPR-13525
		assertTrue(checkSameOrigin("[::1]", -1, "http://[::1]"));
		assertTrue(checkSameOrigin("[::1]", 8080, "http://[::1]:8080"));
		assertTrue(checkSameOrigin("[2001:0db8:0000:85a3:0000:0000:ac1f:8001]", -1, "http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]"));
		assertTrue(checkSameOrigin("[2001:0db8:0000:85a3:0000:0000:ac1f:8001]", 8080, "http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"));
		assertFalse(checkSameOrigin("[::1]", -1, "http://[::1]:8080"));
		assertFalse(checkSameOrigin("[::1]", 8080, "http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"));
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
161 
	}
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
162 163
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
164 165 166 167 168 169 170 171 172 
	private boolean checkValidOrigin(String serverName, int port, String originHeader, List<String> allowed) {
		MockHttpServletRequest servletRequest = new MockHttpServletRequest();
		ServerHttpRequest request = new ServletServerHttpRequest(servletRequest);
		servletRequest.setServerName(serverName);
		if (port != -1) {
			servletRequest.setServerPort(port);
		}
		request.getHeaders().set(HttpHeaders.ORIGIN, originHeader);
		return WebUtils.isValidOrigin(request, allowed);
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
173 174 
	}
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
175 
	private boolean checkSameOrigin(String serverName, int port, String originHeader) {
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
176 177 
		MockHttpServletRequest servletRequest = new MockHttpServletRequest();
		ServerHttpRequest request = new ServletServerHttpRequest(servletRequest);
R
Allow "ws" and "wss" for isValidCorsOrigin checks  
Rossen Stoyanchev 已提交
178 179 180 181 182 
		servletRequest.setServerName(serverName);
		if (port != -1) {
			servletRequest.setServerPort(port);
		}
		request.getHeaders().set(HttpHeaders.ORIGIN, originHeader);
S
Avoid rejecting same-origin requests detected as CORS requests  
Sebastien Deleuze 已提交
183 
		return WebUtils.isSameOrigin(request);
S
Change SockJS and Websocket default allowedOrigins to same origin  
Sebastien Deleuze 已提交
184 185 
	}
A
Added testsuite, as one project for now. Will move individual tests to respective modules later  
Arjen Poutsma 已提交
186 
}