-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathGreetingsServlet.java
76 lines (59 loc) · 2.57 KB
/
GreetingsServlet.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
package io.tetrate.log4shell.vulnerable;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.nimbusds.jose.JWSObject;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import net.minidev.json.JSONObject;
public class GreetingsServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
private static final String NAME_CLAIM = "name";
private static final String GROUP_CLAIM = "https://zta-demo/group";
private static Logger log = LogManager.getLogger(GreetingsServlet.class.getName());
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String user = "anonymous";
String group = null;
JWSObject token = getToken(request);
if (token != null) {
JSONObject payload = token.getPayload().toJSONObject();
user = (String) payload.get(NAME_CLAIM);
group = (String) payload.get(GROUP_CLAIM);
// These log lines may trigger the log4shell attach vector if the JWT token contains
// any malicious claim!
log.info("token payload: " + payload.toJSONString());
log.info("user resolved to: " + user);
}
response.setContentType("text/plain");
response.setStatus(HttpServletResponse.SC_OK);
response.getWriter().println("Welcome, " + user + "!");
if (group != null) response.getWriter().println("Group: " + group);
response.getWriter().println("Accessing: " + request.getRequestURI().substring(request.getContextPath().length()));
if (token != null) response.getWriter().println("\n\nAuthenticated with token:\n" + token.serialize());
}
private JWSObject getToken(HttpServletRequest req) {
String auth = req.getHeader("Authorization");
if (auth == null) {
auth = req.getHeader("authorization");
if (auth == null) {
log.debug("no authorization header present");
return null;
}
}
String[] parts = auth.split(" ");
if (parts.length != 2) {
log.debug("invalid authorization header value");
return null;
}
try {
return JWSObject.parse(parts[1]);
} catch (Exception ex) {
ex.printStackTrace();
return null;
}
}
}