ACS-3635 Alfresco WebDAV CSRF - allowInsecurePOSTMethod flag (#1488)

2025-07-24 17:32:48 +00:00 · 2022-10-11 15:05:48 +02:00
parent fa1e616c72
commit 59ab7e9458
5 changed files with 152 additions and 0 deletions
--- a/remote-api/src/main/java/org/alfresco/repo/webdav/WebDAVServlet.java
+++ b/remote-api/src/main/java/org/alfresco/repo/webdav/WebDAVServlet.java
@@ -121,6 +121,13 @@ public class WebDAVServlet extends HttpServlet
            startTime = System.currentTimeMillis();
        }

+        if (request.getMethod().equals(WebDAV.METHOD_POST) && !initParams.allowInsecurePOSTMethod())
+        {
+            logger.error("POST method is not allowed!");
+            response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+            return;
+        }
+
        FileFilterMode.setClient(Client.webdav);

        try
@@ -407,6 +414,7 @@ public class WebDAVServlet extends HttpServlet
        private String storeName;
        private String rootPath;
        private String urlPathPrefix;
+        private boolean allowInsecurePOSTMethod = false;
        
        public boolean getEnabled()
        {
@@ -482,5 +490,15 @@ public class WebDAVServlet extends HttpServlet
        {
            this.urlPathPrefix = urlPathPrefix;
        }
+
+        public boolean allowInsecurePOSTMethod()
+        {
+            return allowInsecurePOSTMethod;
+        }
+
+        public void setAllowInsecurePOSTMethod(boolean allowInsecurePOSTMethod)
+        {
+            this.allowInsecurePOSTMethod = allowInsecurePOSTMethod;
+        }
    }
 }
--- a/remote-api/src/main/resources/alfresco/remote-api-context.xml
+++ b/remote-api/src/main/resources/alfresco/remote-api-context.xml
@@ -8,6 +8,7 @@
        <property name="enabled" value="${system.webdav.servlet.enabled}" />
        <property name="storeName" value="${system.webdav.storeName}" />
        <property name="rootPath" value="${system.webdav.rootPath}" />
+        <property name="allowInsecurePOSTMethod" value="${system.webdav.allowInsecurePOSTMethod}" />
    </bean>
    
    <bean id="webDAVLockService" class="org.alfresco.repo.webdav.WebDAVLockServiceImpl">
--- a/remote-api/src/test/java/org/alfresco/AppContextExtraTestSuite.java
+++ b/remote-api/src/test/java/org/alfresco/AppContextExtraTestSuite.java
@@ -99,6 +99,7 @@ import org.junit.runners.Suite;
    org.alfresco.repo.webdav.WebDAVMethodTest.class,
    org.alfresco.repo.webdav.PutMethodTest.class,
    org.alfresco.repo.webdav.WebDAVonContentUpdateTest.class,
+    org.alfresco.repo.webdav.WebDAVInsecurePostMethodTest.class,

    // [classpath:test-rest-context.xml]
    org.alfresco.rest.framework.tests.core.ExceptionResolverTests.class,
--- a/remote-api/src/test/java/org/alfresco/repo/webdav/WebDAVInsecurePostMethodTest.java
+++ b/remote-api/src/test/java/org/alfresco/repo/webdav/WebDAVInsecurePostMethodTest.java
@@ -0,0 +1,131 @@
+/*
+ * #%L
+ * Alfresco Remote API
+ * %%
+ * Copyright (C) 2005 - 2022 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+
+package org.alfresco.repo.webdav;
+
+import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+import java.util.Hashtable;
+
+import org.alfresco.repo.webdav.WebDAVServlet.WebDAVInitParameters;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+import org.springframework.test.util.ReflectionTestUtils;
+
+/**
+ * Tests for the allowInsecurePOSTMethod flag.
+ *
+ * @see  WebDAVInitParameters
+ * @author Aleksandra Onych
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class WebDAVInsecurePostMethodTest
+{
+    private WebDAVServlet davServlet;
+    private @Mock WebDAVInitParameters webDAVInitParameters;
+    private @Mock HttpServletRequest request;
+    private @Mock HttpServletResponse response;
+    private @Mock Hashtable<String,Class<? extends WebDAVMethod>> davMethods;
+
+    @Before
+    public void setUp()
+    {
+        davServlet = new WebDAVServlet();
+        ReflectionTestUtils.setField(davServlet, "initParams", webDAVInitParameters);
+        ReflectionTestUtils.setField(davServlet, "m_davMethods", davMethods);
+        when(webDAVInitParameters.getEnabled()).thenReturn(true);
+    }
+
+
+    @Test
+    public void shouldReturn405StatusWhenPostMethodIsNotAllowed() throws ServletException, IOException
+    {
+        prepareRequest(WebDAV.METHOD_POST);
+        when(webDAVInitParameters.allowInsecurePOSTMethod()).thenReturn(false);
+
+        davServlet.service(request, response);
+
+        verify(response).sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+    }
+
+    @Test
+    public void shouldNotReturn405StatusWhenPostMethodIsAllowed() throws ServletException, IOException
+    {
+        prepareRequest(WebDAV.METHOD_POST);
+        when(webDAVInitParameters.allowInsecurePOSTMethod()).thenReturn(true);
+
+        davServlet.service(request, response);
+
+        verify(response, never()).sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+    }
+
+    @Test
+    public void shouldNotReturn405StatusForPutMethod() throws ServletException, IOException
+    {
+        prepareRequest(WebDAV.METHOD_PUT);
+
+        davServlet.service(request, response);
+
+        verify(response, never()).sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+    }
+
+    @Test
+    public void shouldNotReturn405StatusForGetMethod() throws ServletException, IOException
+    {
+        prepareRequest(WebDAV.METHOD_GET);
+
+        davServlet.service(request, response);
+
+        verify(response, never()).sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+    }
+
+    @Test
+    public void shouldNotReturn405StatusForDeleteMethod() throws ServletException, IOException
+    {
+        prepareRequest(WebDAV.METHOD_DELETE);
+
+        davServlet.service(request, response);
+
+        verify(response, never()).sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+    }
+
+    private void prepareRequest(String requestMethodName)
+    {
+        doReturn(PutMethod.class).when(davMethods).get(requestMethodName);
+        when(request.getMethod()).thenReturn(requestMethodName);
+    }
+}