KEYCLOAK-703 Check valid origin is passed to login-status-iframe

keycloak · Oct 21, 2014 · 63b41e2 · 63b41e2
1 parent ed895ce
commit 63b41e2
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 0 deletions.
diff --git a/core/src/main/java/org/keycloak/util/UriUtils.java b/core/src/main/java/org/keycloak/util/UriUtils.java
@@ -1,12 +1,15 @@
 package org.keycloak.util;
 
 import java.net.URI;
+import java.util.regex.Pattern;
 
 /**
  * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
  */
 public class UriUtils {
 
+    private static final Pattern originPattern = Pattern.compile("(http://|https://)[\\w]+(\\.[\\w]+)*(:[\\d]{2,5})?");
+
     public static String getOrigin(URI uri) {
         return getOrigin(uri.toString());
     }
@@ -16,4 +19,8 @@ public static String getOrigin(String uri) {
         return u.substring(0, u.indexOf('/', 8));
     }
 
+    public static boolean isOrigin(String url) {
+        return originPattern.matcher(url).matches();
+    }
+
 }
diff --git a/core/src/test/java/org/keycloak/util/UriUtilsTest.java b/core/src/test/java/org/keycloak/util/UriUtilsTest.java
@@ -0,0 +1,44 @@
+package org.keycloak.util;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public class UriUtilsTest {
+
+    @Test
+    public void testOrigins() {
+        assertValid("http://test");
+        assertValid("http://test:8080");
+        assertValid("https://test");
+        assertValid("http://test.com");
+        assertValid("https://test.com");
+        assertValid("https://test.com:8080");
+        assertValid("http://sub.test.com");
+        assertValid("https://sub.test.com");
+        assertValid("https://sub.test.com:8080");
+        assertValid("http://192.168.123.123");
+        assertValid("https://192.168.123.123");
+        assertValid("https://192.168.123.123:8080");
+
+        assertInvalid("https://test/");
+        assertInvalid("{");
+        assertInvalid("https://{}");
+        assertInvalid("https://)");
+        assertInvalid("http://test:test");
+        assertInvalid("http://test:8080:8080");
+    }
+
+    public void assertValid(String origin) {
+        assertTrue(UriUtils.isOrigin(origin));
+    }
+
+    public void assertInvalid(String origin) {
+        assertFalse(UriUtils.isOrigin(origin));
+    }
+
+}
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OpenIDConnectService.java b/services/src/main/java/org/keycloak/protocol/oidc/OpenIDConnectService.java
@@ -44,6 +44,7 @@
 import org.keycloak.util.Base64Url;
 import org.keycloak.util.BasicAuthHelper;
 import org.keycloak.util.StreamUtil;
+import org.keycloak.util.UriUtils;
 
 import javax.ws.rs.Consumes;
 import javax.ws.rs.GET;
@@ -188,6 +189,10 @@ public static UriBuilder refreshUrl(UriBuilder baseUriBuilder) {
     @Produces(MediaType.TEXT_HTML)
     public Response getLoginStatusIframe(@QueryParam("client_id") String client_id,
                                          @QueryParam("origin") String origin) {
+        if (!UriUtils.isOrigin(origin)) {
+            throw new BadRequestException("Invalid origin");
+        }
+
         ClientModel client = realm.findClient(client_id);
         if (client == null) {
             throw new NotFoundException("could not find client: " + client_id);