forked from openanalytics/shinyproxy
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
45 changed files
with
3,289 additions
and
328 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,5 @@ | ||
/target/ | ||
/shinyproxy.log | ||
/application.yml | ||
/.project | ||
/.project | ||
*.gz |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,80 +1,81 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: spring-security-ldap-5.3.4.RELEASE.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-ldap@.*$</packageUrl> | ||
<cve>CVE-2018-1258</cve> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: spring-security-core-5.3.4.RELEASE.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-core@.*$</packageUrl> | ||
<cve>CVE-2018-1258</cve> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: spring-security-jwt-1.1.1.RELEASE.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-jwt@.*$</packageUrl> | ||
<cve>CVE-2018-1258</cve> | ||
</suppress> | ||
<!-- | ||
https://nvd.nist.gov/vuln/detail/CVE-2018-1258 | ||
Vulnerability only applies when using spring-framework 5.0.5 -> we are not using that version. | ||
--> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: spring-security-oauth2-core-5.3.4.RELEASE.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-oauth2\-core@.*$</packageUrl> | ||
<cve>CVE-2018-1258</cve> | ||
<!-- <notes><![CDATA[--> | ||
<!-- file name: spring-security-ldap-5.3.9.RELEASE.jar--> | ||
<!-- ]]></notes>--> | ||
<!-- <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-ldap@.*$</packageUrl>--> | ||
<cve>CVE-2018-1258</cve> | ||
</suppress> | ||
|
||
<!-- | ||
https://nvd.nist.gov/vuln/detail/CVE-2021-22112 | ||
Only applies if using Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, | ||
we are using 5.3.9. | ||
--> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: spring-security-core-5.3.4.RELEASE.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-core@.*$</packageUrl> | ||
<cve>CVE-2018-1258</cve> | ||
<notes><![CDATA[ | ||
file name: spring-security-jwt-1.1.1.RELEASE.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-jwt@.*$</packageUrl> | ||
<cve>CVE-2021-22112</cve> | ||
</suppress> | ||
|
||
<!-- | ||
https://nvd.nist.gov/vuln/detail/CVE-2020-14359 | ||
Only applies to Keycloak-gatekeeper not the keycloak libraries. | ||
--> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: spring-security-jwt-1.1.1.RELEASE.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-jwt@.*$</packageUrl> | ||
<cve>CVE-2018-1258</cve> | ||
<cve>CVE-2020-14359</cve> | ||
</suppress> | ||
|
||
|
||
<!-- | ||
https://nvd.nist.gov/vuln/detail/CVE-2020-8908 | ||
Only applies if using com.google.common.io.Files.createTempDir(). | ||
We are not using this function directly. We are dependent on our library to remove the usage of this method. | ||
(the method is not fixed/removed from Guava so updating has no influence) | ||
--> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: spring-security-oauth2-core-5.3.4.RELEASE.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-oauth2\-core@.*$</packageUrl> | ||
<cve>CVE-2018-1258</cve> | ||
<cve>CVE-2020-8908</cve> | ||
</suppress> | ||
|
||
<!-- | ||
https://nvd.nist.gov/vuln/detail/CVE-2020-8554 | ||
Only applies to Kubernetes API server not the kubernetes libraries. | ||
--> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: spring-security-web-5.3.4.RELEASE.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-web@.*$</packageUrl> | ||
<cve>CVE-2018-1258</cve> | ||
<cve>CVE-2020-8554</cve> | ||
</suppress> | ||
|
||
|
||
<!-- | ||
Only applies to the official Kubernetes Java client, not the client from fabric8io we are using. | ||
--> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: spring-security-oauth2-jose-5.3.4.RELEASE.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-oauth2\-jose@.*$</packageUrl> | ||
<cve>CVE-2018-1258</cve> | ||
<cve>CVE-2020-8570</cve> | ||
</suppress> | ||
|
||
|
||
<!-- | ||
https://nvd.nist.gov/vuln/detail/CVE-2021-29425 | ||
Only applies to Apache Commons IO before 2.7, but we are using 2.7. (however somewhere this version is referred). | ||
--> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: spring-security-oauth2-client-5.3.4.RELEASE.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-oauth2\-client@.*$</packageUrl> | ||
<cve>CVE-2018-1258</cve> | ||
<sha1>7e39112810f6096061c43504188d18edc7d7eece</sha1> | ||
<cve>CVE-2021-29425</cve> | ||
</suppress> | ||
|
||
|
||
<!-- | ||
https://tanzu.vmware.com/security/cve-2015-5258 | ||
Only applies to springframework-social before 1.1.3, but we are using 1.1.6 (however somewhere this version is referred). | ||
--> | ||
<suppress> | ||
<notes><![CDATA[ | ||
file name: spring-security-config-5.3.4.RELEASE.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-config@.*$</packageUrl> | ||
<cve>CVE-2018-1258</cve> | ||
<cve>CVE-2015-5258</cve> | ||
</suppress> | ||
</suppressions> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
118 changes: 118 additions & 0 deletions
118
src/main/java/eu/openanalytics/shinyproxy/AppRequestInfo.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,118 @@ | ||
/** | ||
* ShinyProxy | ||
* | ||
* Copyright (C) 2016-2021 Open Analytics | ||
* | ||
* =========================================================================== | ||
* | ||
* This program is free software: you can redistribute it and/or modify | ||
* it under the terms of the Apache License as published by | ||
* The Apache Software Foundation, either version 2 of the License, or | ||
* (at your option) any later version. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* Apache License for more details. | ||
* | ||
* You should have received a copy of the Apache License | ||
* along with this program. If not, see <http://www.apache.org/licenses/> | ||
*/ | ||
package eu.openanalytics.shinyproxy; | ||
|
||
import eu.openanalytics.containerproxy.util.BadRequestException; | ||
|
||
import javax.servlet.http.HttpServletRequest; | ||
import java.util.regex.Matcher; | ||
import java.util.regex.Pattern; | ||
|
||
public class AppRequestInfo { | ||
|
||
private static final Pattern APP_INSTANCE_PATTERN = Pattern.compile(".*?/(app_i|app_direct_i)/([^/]*)/([^/]*)(/?.*)"); | ||
private static final Pattern APP_PATTERN = Pattern.compile(".*?/(app|app_direct)/([^/]*)(/?.*)"); | ||
private static final Pattern INSTANCE_NAME_PATTERN = Pattern.compile("^[a-zA-Z0-9_.-]*$"); | ||
|
||
private final String appName; | ||
private final String appInstance; | ||
private final String subPath; | ||
|
||
public AppRequestInfo(String appName, String appInstance, String subPath) { | ||
this.appName = appName; | ||
this.appInstance = appInstance; | ||
this.subPath = subPath; | ||
} | ||
|
||
public static AppRequestInfo fromRequestOrException(HttpServletRequest request) { | ||
AppRequestInfo result = fromURI(request.getRequestURI()); | ||
if (result == null) { | ||
throw new BadRequestException("Error parsing URL."); | ||
} | ||
return result; | ||
} | ||
|
||
public static AppRequestInfo fromURI(String uri) { | ||
Matcher appMatcher = APP_PATTERN.matcher(uri); | ||
Matcher appInstanceMatcher = APP_INSTANCE_PATTERN.matcher(uri); | ||
if (appInstanceMatcher.matches()) { | ||
String appName = appInstanceMatcher.group(2); | ||
if (appName == null || appName.trim().equals("")) { | ||
throw new BadRequestException("Error parsing URL: name of app not found in URL."); | ||
} | ||
|
||
String appInstance = appInstanceMatcher.group(3); | ||
if (appInstance == null || appInstance.trim().equals("")) { | ||
throw new BadRequestException("Error parsing URL: name of instance not found in URL."); | ||
} | ||
|
||
if (appInstance.length() > 64 || !INSTANCE_NAME_PATTERN.matcher(appInstance).matches()) { | ||
throw new BadRequestException("Error parsing URL: name of instance contains invalid characters or is too long."); | ||
} | ||
|
||
String subPath = appInstanceMatcher.group(4); | ||
if (subPath == null || subPath.trim().equals("")) { | ||
subPath = null; | ||
} else { | ||
subPath = subPath.trim(); | ||
} | ||
|
||
return new AppRequestInfo(appName, appInstance, subPath); | ||
} else if (appMatcher.matches()) { | ||
String appName = appMatcher.group(2); | ||
if (appName == null || appName.trim().equals("")) { | ||
throw new BadRequestException("Error parsing URL: name of app not found in URL."); | ||
} | ||
|
||
String appInstance = "_"; | ||
|
||
String subPath = appMatcher.group(3); | ||
if (subPath == null || subPath.trim().equals("")) { | ||
subPath = null; | ||
} else { | ||
subPath = subPath.trim(); | ||
} | ||
|
||
return new AppRequestInfo(appName, appInstance, subPath); | ||
} else { | ||
return null; | ||
} | ||
} | ||
|
||
public String getAppInstance() { | ||
return appInstance; | ||
} | ||
|
||
public String getAppInstanceDisplayName() { | ||
if (appInstance.equals("_")) { | ||
return "Default"; | ||
} | ||
return appInstance; | ||
} | ||
|
||
public String getAppName() { | ||
return appName; | ||
} | ||
|
||
public String getSubPath() { | ||
return subPath; | ||
} | ||
} |
Oops, something went wrong.