Coverage Report

Coverage Report - net.sourceforge.pebble.security.PebbleRedirectStrategy

Classes in this File

Line Coverage

Branch Coverage

Complexity

PebbleRedirectStrategy

100%

12/12

83%

5/6

 /*
  * Copyright (c) 2003-2011, Simon Brown
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
  *   - Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
  *
  *   - Redistributions in binary form must reproduce the above copyright
  *     notice, this list of conditions and the following disclaimer in
  *     the documentation and/or other materials provided with the
  *     distribution.
  *
  *   - Neither the name of Pebble nor the names of its contributors may
  *     be used to endorse or promote products derived from this software
  *     without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
 package net.sourceforge.pebble.security;
 
 import org.springframework.security.web.RedirectStrategy;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.net.URI;
 
 /**
  * Redirect strategy that prevents redirection to URLs outside of Pebble.  It does this by removing the URI authority
  * section if it exists.
  */
 public class PebbleRedirectStrategy implements RedirectStrategy {
   public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException {
     response.sendRedirect(response.encodeRedirectURL(sanitiseUrl(request.getContextPath(), url)));
   }
 
   public static String sanitiseUrl(String contextPath, String url) {
     // Need to make sure there is no authority section
     URI uri = URI.create(url);
     if (uri.getRawAuthority() != null) {
 
       StringBuilder sb = new StringBuilder();
       if (uri.getRawPath() != null) {
         sb.append(uri.getRawPath());
       }
       if (uri.getRawQuery() != null) {
         sb.append("?").append(uri.getRawQuery());
       }
       return sb.toString();
 
     } else {
       return contextPath + url;
     }
   }
 }

1		/*
2		* Copyright (c) 2003-2011, Simon Brown
3		* All rights reserved.
4		*
5		* Redistribution and use in source and binary forms, with or without
6		* modification, are permitted provided that the following conditions are met:
7		*
8		* - Redistributions of source code must retain the above copyright
9		* notice, this list of conditions and the following disclaimer.
10		*
11		* - Redistributions in binary form must reproduce the above copyright
12		* notice, this list of conditions and the following disclaimer in
13		* the documentation and/or other materials provided with the
14		* distribution.
15		*
16		* - Neither the name of Pebble nor the names of its contributors may
17		* be used to endorse or promote products derived from this software
18		* without specific prior written permission.
19		*
20		* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21		* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23		* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24		* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25		* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26		* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27		* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28		* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29		* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30		* POSSIBILITY OF SUCH DAMAGE.
31		*/
32
33		package net.sourceforge.pebble.security;
34
35		import org.springframework.security.web.RedirectStrategy;
36
37		import javax.servlet.http.HttpServletRequest;
38		import javax.servlet.http.HttpServletResponse;
39		import java.io.IOException;
40		import java.net.URI;
41
42		/**
43		* Redirect strategy that prevents redirection to URLs outside of Pebble. It does this by removing the URI authority
44		* section if it exists.
45		*/
46	16	public class PebbleRedirectStrategy implements RedirectStrategy {
47		public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException {
48	16	response.sendRedirect(response.encodeRedirectURL(sanitiseUrl(request.getContextPath(), url)));
49	16	}
50
51		public static String sanitiseUrl(String contextPath, String url) {
52		// Need to make sure there is no authority section
53	20	URI uri = URI.create(url);
54	20	if (uri.getRawAuthority() != null) {
55
56	16	StringBuilder sb = new StringBuilder();
57	16	if (uri.getRawPath() != null) {
58	16	sb.append(uri.getRawPath());
59		}
60	16	if (uri.getRawQuery() != null) {
61	4	sb.append("?").append(uri.getRawQuery());
62		}
63	16	return sb.toString();
64
65		} else {
66	4	return contextPath + url;
67		}
68		}
69		}