Verify insecure paths with ..\ and '..//'. Add more tests.

OlgaMaciaszek · OlgaMaciaszek · commit 7f02baf32d78 · 2021-01-22T10:55:26.000+01:00
diff --git a/spring-cloud-netflix-zuul/src/main/java/org/springframework/cloud/netflix/zuul/filters/pre/PreDecorationFilter.java b/spring-cloud-netflix-zuul/src/main/java/org/springframework/cloud/netflix/zuul/filters/pre/PreDecorationFilter.java
@@ -262,6 +262,12 @@ private boolean isInsecurePath(String path) {
 			}
 			return true;
 		}
+		if (path.contains("..\\")) {
+			if (log.isWarnEnabled()) {
+				log.warn("Path contains \"..\\\"");
+			}
+			return true;
+		}
 		return false;
 	}
 
diff --git a/spring-cloud-netflix-zuul/src/test/java/org/springframework/cloud/netflix/zuul/filters/pre/PreDecorationFilterTests.java b/spring-cloud-netflix-zuul/src/test/java/org/springframework/cloud/netflix/zuul/filters/pre/PreDecorationFilterTests.java
@@ -714,9 +714,51 @@ public void exceptionThrownForInsecurePath() {
 				.isInstanceOf(InsecureRequestPathException.class);
 	}
 
+	@Test
+	public void exceptionThrownForInsecurePathWithBackslash() {
+		request.setRequestURI("'/api/..\\admin/index'");
+		assertThatThrownBy(() -> filter.run())
+				.isInstanceOf(InsecureRequestPathException.class);
+	}
+
+	@Test
+	public void exceptionThrownForInsecurePathWithDoubleSlash() {
+		request.setRequestURI("'/api/..//admin/index'");
+		assertThatThrownBy(() -> filter.run())
+				.isInstanceOf(InsecureRequestPathException.class);
+	}
+
+	@Test
+	public void exceptionThrownForEncodedInsecurePathWithBackslash() {
+		request.setRequestURI("%27%2Fapi%2F..%5Cadmin%2Findex%27");
+		assertThatThrownBy(() -> filter.run())
+				.isInstanceOf(InsecureRequestPathException.class);
+	}
+
+	@Test
+	public void exceptionThrownForEncodedInsecurePathWithDoubleSlash() {
+		request.setRequestURI("%27%2Fapi%2F..%2F%2Fadmin%2Findex%27");
+		assertThatThrownBy(() -> filter.run())
+				.isInstanceOf(InsecureRequestPathException.class);
+	}
+
+	@Test
+	public void exceptionThrownForDoubleEncodedInsecurePathWithBackslash() {
+		request.setRequestURI("%2527%252Fapi%252F..%255Cadmin%252Findex%2527");
+		assertThatThrownBy(() -> filter.run())
+				.isInstanceOf(InsecureRequestPathException.class);
+	}
+
+	@Test
+	public void exceptionThrownForDoubleEncodedInsecurePathWithDoubleSlash() {
+		request.setRequestURI("%27%2Fapi%2F..%2F%2Fadmin%2Findex%27");
+		assertThatThrownBy(() -> filter.run())
+				.isInstanceOf(InsecureRequestPathException.class);
+	}
+
 	@Test
 	public void exceptionThrownForEncodedInsecurePath() {
-		request.setRequestURI("%27%2Fapi%2F..%3B%2Fadmin%2Findex%27");
+		request.setRequestURI("%2527%252Fapi%252F..%252F%252Fadmin%252Findex%2527");
 		assertThatThrownBy(() -> filter.run())
 				.isInstanceOf(InsecureRequestPathException.class);
 	}

Original file line number	Diff line number	Diff line change
`@@ -262,6 +262,12 @@ private boolean isInsecurePath(String path) {`
`262`	`262`	`}`
`263`	`263`	`return true;`
`264`	`264`	`}`
	`265`	`+ if (path.contains("..\\")) {`
	`266`	`+ if (log.isWarnEnabled()) {`
	`267`	`+ log.warn("Path contains \"..\\\"");`
	`268`	`+ }`
	`269`	`+ return true;`
	`270`	`+ }`
`265`	`271`	`return false;`
`266`	`272`	`}`
`267`	`273`