Added request content type validation
This commit is contained in:
parent
e329dbec1a
commit
babdb5dd9a
@ -113,5 +113,6 @@ libraryDependencies ++= Seq(
|
|||||||
"commons-validator" % "commons-validator" % "1.7",
|
"commons-validator" % "commons-validator" % "1.7",
|
||||||
"org.apache.tika" % "tika-core" % "2.8.0",
|
"org.apache.tika" % "tika-core" % "2.8.0",
|
||||||
"org.apache.tika" % "tika-parsers-standard-package" % "2.8.0",
|
"org.apache.tika" % "tika-parsers-standard-package" % "2.8.0",
|
||||||
"org.scala-lang.modules" %% "scala-xml" % "2.2.0"
|
"org.scala-lang.modules" %% "scala-xml" % "2.2.0",
|
||||||
|
"jakarta.ws.rs" % "jakarta.ws.rs-api" % "3.1.0"
|
||||||
)
|
)
|
||||||
|
@ -0,0 +1,22 @@
|
|||||||
|
package org.bigbluebutton.api.model.constraint;
|
||||||
|
|
||||||
|
import org.bigbluebutton.api.model.validator.ContentTypeValidator;
|
||||||
|
|
||||||
|
import javax.validation.Constraint;
|
||||||
|
import javax.validation.Payload;
|
||||||
|
import java.lang.annotation.Retention;
|
||||||
|
import java.lang.annotation.Target;
|
||||||
|
|
||||||
|
import static java.lang.annotation.ElementType.FIELD;
|
||||||
|
import static java.lang.annotation.RetentionPolicy.RUNTIME;
|
||||||
|
|
||||||
|
@Constraint(validatedBy = ContentTypeValidator.class)
|
||||||
|
@Target(FIELD)
|
||||||
|
@Retention(RUNTIME)
|
||||||
|
public @interface ContentTypeConstraint {
|
||||||
|
|
||||||
|
String key() default "contentTypeError";
|
||||||
|
String message() default "Request content type is not supported";
|
||||||
|
Class<?>[] groups() default {};
|
||||||
|
Class<? extends Payload>[] payload() default {};
|
||||||
|
}
|
@ -1,5 +1,6 @@
|
|||||||
package org.bigbluebutton.api.model.shared;
|
package org.bigbluebutton.api.model.shared;
|
||||||
|
|
||||||
|
import org.bigbluebutton.api.model.constraint.ContentTypeConstraint;
|
||||||
import org.bigbluebutton.api.model.constraint.NotEmpty;
|
import org.bigbluebutton.api.model.constraint.NotEmpty;
|
||||||
import org.bigbluebutton.api.util.ParamsUtil;
|
import org.bigbluebutton.api.util.ParamsUtil;
|
||||||
|
|
||||||
@ -15,6 +16,7 @@ public abstract class Checksum {
|
|||||||
|
|
||||||
protected String queryStringWithoutChecksum;
|
protected String queryStringWithoutChecksum;
|
||||||
|
|
||||||
|
@ContentTypeConstraint
|
||||||
protected HttpServletRequest request;
|
protected HttpServletRequest request;
|
||||||
|
|
||||||
public Checksum(String apiCall, String checksum, HttpServletRequest request) {
|
public Checksum(String apiCall, String checksum, HttpServletRequest request) {
|
||||||
|
@ -0,0 +1,44 @@
|
|||||||
|
package org.bigbluebutton.api.model.validator;
|
||||||
|
|
||||||
|
import jakarta.ws.rs.core.MediaType;
|
||||||
|
import org.apache.commons.compress.utils.Sets;
|
||||||
|
import org.bigbluebutton.api.model.constraint.ContentTypeConstraint;
|
||||||
|
import org.slf4j.Logger;
|
||||||
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.validation.ConstraintValidator;
|
||||||
|
import javax.validation.ConstraintValidatorContext;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
|
public class ContentTypeValidator implements ConstraintValidator<ContentTypeConstraint, HttpServletRequest> {
|
||||||
|
|
||||||
|
private static final Logger log = LoggerFactory.getLogger(ContentTypeValidator.class);
|
||||||
|
|
||||||
|
private static final Set<String> SUPPORTED_CONTENT_TYPES = Sets.newHashSet(
|
||||||
|
MediaType.APPLICATION_XML,
|
||||||
|
MediaType.APPLICATION_JSON,
|
||||||
|
MediaType.APPLICATION_FORM_URLENCODED,
|
||||||
|
MediaType.MULTIPART_FORM_DATA
|
||||||
|
);
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void initialize(ContentTypeConstraint constraintAnnotation) {}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isValid(HttpServletRequest request, ConstraintValidatorContext context) {
|
||||||
|
String requestMethod = request.getMethod();
|
||||||
|
String contentType = request.getContentType();
|
||||||
|
log.info("Validating {} request with content type {}", requestMethod, contentType);
|
||||||
|
|
||||||
|
boolean requestBodyPresent = request.getContentLength() > 0;
|
||||||
|
if (requestBodyPresent) {
|
||||||
|
if (contentType == null) return false;
|
||||||
|
else {
|
||||||
|
return SUPPORTED_CONTENT_TYPES.contains(contentType);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
@ -4,6 +4,7 @@ import javax.servlet.http.HttpServletRequest;
|
|||||||
import javax.validation.ConstraintValidator;
|
import javax.validation.ConstraintValidator;
|
||||||
import javax.validation.ConstraintValidatorContext;
|
import javax.validation.ConstraintValidatorContext;
|
||||||
|
|
||||||
|
import jakarta.ws.rs.core.MediaType;
|
||||||
import org.apache.commons.codec.digest.DigestUtils;
|
import org.apache.commons.codec.digest.DigestUtils;
|
||||||
import org.bigbluebutton.api.model.constraint.GetChecksumConstraint;
|
import org.bigbluebutton.api.model.constraint.GetChecksumConstraint;
|
||||||
import org.bigbluebutton.api.model.shared.GetChecksum;
|
import org.bigbluebutton.api.model.shared.GetChecksum;
|
||||||
@ -27,7 +28,12 @@ public class GetChecksumValidator implements ConstraintValidator<GetChecksumCons
|
|||||||
boolean queryStringPresent = request.getQueryString() != null && !request.getQueryString().isEmpty();
|
boolean queryStringPresent = request.getQueryString() != null && !request.getQueryString().isEmpty();
|
||||||
boolean requestBodyPresent = request.getContentLength() > 0;
|
boolean requestBodyPresent = request.getContentLength() > 0;
|
||||||
|
|
||||||
if (queryStringPresent && requestBodyPresent) return false;
|
String contentType = request.getContentType();
|
||||||
|
if (contentType != null) {
|
||||||
|
if (contentType.equalsIgnoreCase(MediaType.APPLICATION_FORM_URLENCODED) || contentType.equalsIgnoreCase(MediaType.MULTIPART_FORM_DATA)) {
|
||||||
|
if (queryStringPresent && requestBodyPresent) return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (securitySalt.isEmpty()) {
|
if (securitySalt.isEmpty()) {
|
||||||
log.warn("Security is disabled in this service. Make sure this is intentional.");
|
log.warn("Security is disabled in this service. Make sure this is intentional.");
|
||||||
|
@ -136,7 +136,6 @@ class ApiController {
|
|||||||
|
|
||||||
log.info("attendeePW [${attendeePW}]")
|
log.info("attendeePW [${attendeePW}]")
|
||||||
log.info("moderatorPW [${moderatorPW}]")
|
log.info("moderatorPW [${moderatorPW}]")
|
||||||
log.info("Content length type [${}]")
|
|
||||||
|
|
||||||
if(attendeePW.equals("")) log.info("attendeePW is empty")
|
if(attendeePW.equals("")) log.info("attendeePW is empty")
|
||||||
if(moderatorPW.equals("")) log.info("moderatorPW is empty")
|
if(moderatorPW.equals("")) log.info("moderatorPW is empty")
|
||||||
|
Loading…
Reference in New Issue
Block a user