Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[#1025] - Shiro's InvalidRequestFilter blocks valid paths with encoded slashes #1026

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

haster
Copy link

@haster haster commented Aug 2, 2023

fixes #1025
Adds a 3-valued enum for path-traversal-blockmode. Default is NORMAL, which only blocks actual paths. STRICT also blocks encoded slashes ('/') and periods ('.'). NO_BLOCK disables.

This enables a mode to block actual path traversal while still allowing for encoded URLs and such to be present as path parameter.

Following this checklist to help us incorporate your contribution quickly and easily:

  • Make sure there is a GitHub issue filed
    for the change (usually before you start working on it). Trivial changes like typos do not
    require a GitHub issue. Your pull request should address just this issue, without pulling in other changes.
  • Each commit in the pull request should have a meaningful subject line and body.
  • Format the pull request title like [#XXX] - Fixes bug in SessionManager,
    where you replace #XXX with the appropriate GitHub issue. Best practice
    is to use the GitHub issue title in the pull request title and in the first line of the commit message.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • add fixes #XXX if merging the PR should close a related issue.
  • Run mvn verify to make sure basic checks pass. A more thorough check will be performed on your pull request automatically.
  • If you have a group of commits related to the same change, please squash your commits into one and force push your branch using git rebase -i.
  • Committers: Make sure a milestone is set on the PR

Trivial changes like typos do not require a GitHub issue (javadoc, comments...).
In this case, just format the pull request title like [DOC] - Add javadoc in SessionManager.

If this is your first contribution, you have to read the Contribution Guidelines

If your pull request is about ~20 lines of code you don't need to sign an Individual Contributor License Agreement
if you are unsure please ask on the developers list.

To make clear that you license your contribution under the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

Default is NORMAL, which only blocks actual paths. STRICT also blocks encoded slashes ('/') and periods ('.'). NO_BLOCK disables.
@lprimak lprimak requested a review from bdemers August 2, 2023 15:15
@lprimak lprimak modified the milestones: 1.13.0, 2.0 Aug 2, 2023
@lprimak lprimak added pending-cla java Pull requests that update Java code core Core Modules labels Aug 2, 2023
@bdemers
Copy link
Member

bdemers commented Sep 1, 2023

Thanks for the PR @haster! (and sorry for the delay with the response)

I can see the desire to make this more flexible, but we need to make sure we retain backwards compatibility with the current versions of Shiro.
e.g. restore the boolean getter's, (though we could deprecate it too)

I think the default value should be what you have defined as STRICT (secure by default)

Possibly enum values of ENABLED, LAX, and DISABLED? Where LAX, (or something better named), is your current NORMAL?

  /**
     * 
     * @deprecated Use {@link #getBlockTraversal()}
     */
    @Deprecated
public boolean isBlockTraversal() {
  // we could even add a log warning here 🤷
  return this.pathTraversalBlockMode != DISABLED;
}

Thoughts / suggestions? (other ideas for the term LAX)?

@ansidev
Copy link

ansidev commented Sep 21, 2023

Are there any updates on this issue?

@lprimak
Copy link
Contributor

lprimak commented Nov 5, 2023

@haster what do you think about @bdemers suggestions?

@lprimak lprimak modified the milestones: 1.13.0, 1.14.0, 2.0 Nov 8, 2023
@github-actions github-actions bot added the Stale label Feb 7, 2024
@github-actions github-actions bot closed this Feb 14, 2024
@lprimak lprimak reopened this Feb 14, 2024
@github-actions github-actions bot removed the Stale label Feb 15, 2024
@lprimak lprimak modified the milestones: 1.14.0, 2.0.1 Feb 24, 2024
@lprimak lprimak modified the milestones: 2.0.1, 2.0.2, Backlog May 20, 2024
@lprimak
Copy link
Contributor

lprimak commented Jun 20, 2024

There are still issues with this PR that remain unresolved, and it seems the author has abandoned it.
We are happy to accept improvements to this PR or another PR to resolve the outstanding issues

@github-actions github-actions bot added the Stale label Sep 19, 2024
@github-actions github-actions bot closed this Sep 26, 2024
@lprimak lprimak reopened this Sep 26, 2024
@lprimak lprimak removed the abandoned label Sep 26, 2024
@github-actions github-actions bot removed the Stale label Sep 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
core Core Modules java Pull requests that update Java code pending-cla
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug] Shiro's InvalidRequestFilter blocks valid paths with encoded slashes
4 participants