Avoid using RegexRequestMatcher due to [CVE-2022-22978] (#1258)

* Use ant instead of regex matcher.

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>

* fix ant matcher

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>

* Do some cleanup and revert unnecessary changes.

Signed-off-by: Michael Herdt <Michael.Herdt@bosch.io>
This commit is contained in:
Michael Herdt
2022-06-10 18:28:59 +02:00
committed by GitHub
parent f15cc690f0
commit d3ef290ec7

View File

@@ -455,7 +455,7 @@ public class SecurityManagedConfiguration {
http.csrf().disable(); http.csrf().disable();
http.anonymous().disable(); http.anonymous().disable();
http.regexMatcher(HttpDownloadAuthenticationFilter.REQUEST_ID_REGEX_PATTERN) http.antMatcher("/**/downloadId/**")
.addFilterBefore(downloadIdAuthenticationFilter, FilterSecurityInterceptor.class); .addFilterBefore(downloadIdAuthenticationFilter, FilterSecurityInterceptor.class);
http.authorizeRequests().anyRequest().authenticated().and().sessionManagement() http.authorizeRequests().anyRequest().authenticated().and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS); .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
@@ -521,7 +521,8 @@ public class SecurityManagedConfiguration {
@Override @Override
protected void configure(final HttpSecurity http) throws Exception { protected void configure(final HttpSecurity http) throws Exception {
HttpSecurity httpSec = http.regexMatcher("\\/rest.*|\\/system/admin.*").csrf().disable(); HttpSecurity httpSec = http.requestMatchers().antMatchers("/rest/**", "/system/admin/**").and().csrf()
.disable();
if (securityProperties.getCors().isEnabled()) { if (securityProperties.getCors().isEnabled()) {
httpSec = httpSec.cors().and(); httpSec = httpSec.cors().and();
@@ -693,9 +694,9 @@ public class SecurityManagedConfiguration {
// https://vaadin.com/forum#!/thread/3200565. // https://vaadin.com/forum#!/thread/3200565.
HttpSecurity httpSec; HttpSecurity httpSec;
if (enableOidc) { if (enableOidc) {
httpSec = http.regexMatcher("(?!.*HEARTBEAT)^.*\\/(UI|oauth2).*$"); httpSec = http.requestMatchers().antMatchers("/**/UI/**", "/**/oauth2/**").and();
} else { } else {
httpSec = http.regexMatcher("(?!.*HEARTBEAT)^.*\\/UI.*$"); httpSec = http.antMatcher("/**/UI/**");
} }
// disable as CSRF is handled by Vaadin // disable as CSRF is handled by Vaadin
httpSec.csrf().disable(); httpSec.csrf().disable();