OPENAM-7063

Author: joebandenburg

openam-server-only/src/main/webapp/oauth2c/OAuthLogout.jsp

@@ -38,6 +38,11 @@
 <%@ page import="java.util.Locale" %>
 <%@ page import="java.util.MissingResourceException" %>
 <%@ page import="org.forgerock.openam.authentication.modules.oauth2.OAuthUtil" %>
+<%@ page import="com.iplanet.sso.SSOTokenManager" %>
+<%@ page import="com.iplanet.sso.SSOException" %>
+<%@ page import="com.iplanet.sso.SSOToken" %>
+<%@ page import="com.sun.identity.authentication.service.AuthD" %>
+<%@ page import="com.sun.identity.idm.AMIdentity" %>
 <%
    // Internationalization stuff. You can use any internationalization framework
    String lang = request.getParameter("lang");
@@ -76,19 +81,19 @@
    String gotoURLencAttr = "";
    String OAuth2IdP = "";
    
-   String ServiceURI = SystemProperties.get(Constants.AM_SERVICES_DEPLOYMENT_DESCRIPTOR); 
-   if (gotoURL == null || gotoURL.isEmpty() ) {
-      gotoURL = ServiceURI + "/UI/Logout"; 
-   } else {
-       boolean isValidURL = ESAPI.validator().
-               isValidInput("URLContext", gotoURL, "URL", 255, false); 
-       boolean isValidURI = ESAPI.validator().
-               isValidInput("HTTP URI: " + gotoURL, gotoURL, "HTTPURI", 2000, false);      
-       if (!isValidURL && !isValidURI) {
-           OAuthUtil.debugError("OAuthLogout: wrong goto URL attempted to be used "
-                   + "in the Logout page: " + gotoURL);
-           gotoURL = "wronggotoURL";
-       } 
+   String ServiceURI = SystemProperties.get(Constants.AM_SERVICES_DEPLOYMENT_DESCRIPTOR);
+   SSOTokenManager manager = SSOTokenManager.getInstance();
+   try {
+       SSOToken ssoToken = manager.createSSOToken(request);
+       String realm = ssoToken.getProperty("Organization");
+       boolean isValidGotoUrl = AuthD.getAuth().isGotoUrlValid(gotoURL, realm);
+       if (!isValidGotoUrl) {
+           OAuthUtil.debugError("OAuthLogout: invalid or empty goto URL ignored on Logout page: " + gotoURL);
+           gotoURL = ServiceURI + "/UI/Logout";
+       }
+   } catch (SSOException e) {
+       OAuthUtil.debugMessage("OAuthLogout: using default goto URL because we failed to get a session");
+       gotoURL = ServiceURI + "/UI/Logout";
    }
    
    String logoutURL = request.getParameter(PARAM_LOGOUT_URL);

openam-shared/pom.xml

@@ -157,6 +157,11 @@
             <artifactId>java-ipv6</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>external</groupId>
+            <artifactId>esapiport</artifactId>
+        </dependency>
+
         <dependency>
             <groupId>org.testng</groupId>
             <artifactId>testng</artifactId>

openam-shared/src/main/java/org/forgerock/openam/shared/security/whitelist/RedirectUrlValidator.java

@@ -22,9 +22,11 @@
 import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.net.URL;
 import java.util.Collection;
 import javax.servlet.http.HttpServletRequest;
 import org.forgerock.json.JsonValue;
+import org.owasp.esapi.ESAPI;
 
 /**
  * Validates the provided redirect URL against the list of valid goto URL domains.
@@ -46,6 +48,9 @@ public class RedirectUrlValidator<T> {
     private static final Debug DEBUG = Debug.getInstance("patternMatching");
     private final ValidDomainExtractor<T> domainExtractor;
 
+    // See http://stackoverflow.com/a/417184
+    private final static int MAX_URL_LENGTH = 2000;
+
     /**
      * Constructs a new RedirectUrlValidator instance.
      *
@@ -72,21 +77,18 @@ public boolean isRedirectUrlValid(final String url, final T configInfo) {
         if (DEBUG.messageEnabled()) {
             DEBUG.message("Validating goto URL " + url + " against patterns:\n" + patterns);
         }
-        if (patterns == null || patterns.isEmpty()) {
-            if (DEBUG.messageEnabled()) {
-                DEBUG.message("There are no patterns to validate the URL against, the goto URL is considered valid");
-            }
-            return true;
+
+        // JavaScript URIs are a common vector for XSS attacks.
+        if (url.toLowerCase().startsWith("javascript:")) {
+            return false;
         }
 
         try {
             final URI uri = new URI(url);
-            //Both Absolute and scheme relative URLs should be validated.
+            // Both Absolute and scheme relative URLs should be validated.
             if (!uri.isAbsolute() && !url.startsWith("//")) {
-                if (DEBUG.messageEnabled()) {
-                    DEBUG.message(url + " is a relative URI, the goto URL is considered valid");
-                }
-                return true;
+                return ESAPI.validator().isValidInput("isRedirectUrlValid", url, "HTTPURI", MAX_URL_LENGTH,
+                        false);
             }
         } catch (final URISyntaxException urise) {
             if (DEBUG.messageEnabled()) {
@@ -95,6 +97,17 @@ public boolean isRedirectUrlValid(final String url, final T configInfo) {
             return false;
         }
 
+        if (!ESAPI.validator().isValidInput("isRedirectUrlValid", url, "URL", MAX_URL_LENGTH, false)) {
+            return false;
+        }
+
+        if (patterns == null || patterns.isEmpty()) {
+            if (DEBUG.messageEnabled()) {
+                DEBUG.message("There are no patterns to validate the URL against, the goto URL is considered valid");
+            }
+            return true;
+        }
+
         final URLPatternMatcher patternMatcher = new URLPatternMatcher();
         try {
             return patternMatcher.match(url, patterns, true);

openam-shared/src/test/java/org/forgerock/openam/shared/security/whitelist/RedirectUrlValidatorTest.java

@@ -157,4 +157,70 @@ public Collection<String> extractValidDomains(String configInfo) {
             }
         });
     }
+
+    @DataProvider(name = "relative")
+    public Object[][] getRelativeCases() {
+        return new Object[][]{
+                {"/foo", true},
+                {"foo", true},
+                {"foo?abc=123", true},
+                {"foo/bar", true},
+                {"areallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurl", true},
+                {"areallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurlareallyreallylongurltoolong", false},
+        };
+    }
+
+    @Test(dataProvider = "relative")
+    public void testRelativeUrlsWithWhitelist(String url, boolean result) {
+        RedirectUrlValidator<String> validator = getValidator(asSet("http://example.com/*"));
+        assertThat(validator.isRedirectUrlValid(url, null)).isEqualTo(result);
+    }
+
+    @Test(dataProvider = "relative")
+    public void testRelativeUrlsWithoutWhitelist(String url, boolean result) {
+        RedirectUrlValidator<String> validator = getValidator(null);
+        assertThat(validator.isRedirectUrlValid(url, null)).isEqualTo(result);
+    }
+
+    @DataProvider(name = "javascript")
+    public Object[][] getJavaScriptCases() {
+        return new Object[][]{
+                {"javascript:alert", false},
+                {"JavaSCRIpt:alert", false},
+                {"/javascript:alert", true},
+        };
+    }
+
+    @Test(dataProvider = "javascript")
+    public void testJavaScriptUrlsWithWhitelist(String url, boolean result) {
+        RedirectUrlValidator<String> validator = getValidator(asSet("http://example.com/*"));
+        assertThat(validator.isRedirectUrlValid(url, null)).isEqualTo(result);
+    }
+
+    @Test(dataProvider = "javascript")
+    public void testJavaScriptUrlsWithoutWhitelist(String url, boolean result) {
+        RedirectUrlValidator<String> validator = getValidator(null);
+        assertThat(validator.isRedirectUrlValid(url, null)).isEqualTo(result);
+    }
+
+    @DataProvider(name = "malformed")
+    public Object[][] getMalformedCases() {
+        return new Object[][]{
+                {"http:abc", false},
+                {"http:/abc", false},
+                {"/a$bc", false}
+        };
+    }
+
+    @Test(dataProvider = "malformed")
+    public void testMalformedUrlsWithWhitelist(String url, boolean result) {
+        RedirectUrlValidator<String> validator = getValidator(asSet("http://example.com/*"));
+        assertThat(validator.isRedirectUrlValid(url, null)).isEqualTo(result);
+    }
+
+    @Test(dataProvider = "malformed")
+    public void testMalformedUrlsWithoutWhitelist(String url, boolean result) {
+        RedirectUrlValidator<String> validator = getValidator(null);
+        assertThat(validator.isRedirectUrlValid(url, null)).isEqualTo(result);
+    }
 }