Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ISPN-10224 Fix session fixation protection #6960

Closed
wants to merge 1 commit into from
Closed

ISPN-10224 Fix session fixation protection #6960

wants to merge 1 commit into from

Conversation

thelateperseus
Copy link
Contributor

@thelateperseus thelateperseus commented May 23, 2019
edited
Loading

org.infinispan.spring.common.session.AbstractInfinispanSessionRepository implements the save(MapSession) method defined by org.springframework.session.SessionRepository. However, the implementation does not correctly handle when the session id changes. When getId() returns a different value from getOriginalId(), the original session should be deleted.

Note that Spring Session's MapSessionRepository.save implementation has the correct behaviour.

I couldn't get the Maven build working, so I can't guarantee it compiles.

https://issues.jboss.org/browse/ISPN-10245

This issue was discovered by @the-cartographer has been assigned CVE-2019-10158.

@ghost
Copy link

ghost commented May 23, 2019

Can one of the admins verify this patch?

1 similar comment
@ghost
Copy link

ghost commented May 23, 2019

Can one of the admins verify this patch?

@ryanemerson ryanemerson requested a review from karesti May 23, 2019 08:50
@tristantarrant
Copy link
Member

@thelateperseus I'm curious about what part of the maven build failed for you.
mvn clean install -DskipTests should work out-of-the-box

@thelateperseus
Copy link
Contributor Author

@tristantarrant I had a lot of problems with our corporate proxy. Once I got past them, I got a failure on the Infinispan Core tests (I didn't specify -DskipTests).

@tristantarrant
Copy link
Member

Unfortunately there are 4-5 unstable tests (within over 25K tests). We are addressing these. The ideal way to test your changes is to do a full build with -DskipTests and then do a mvn verify -pl path/to/module

@thelateperseus
Copy link
Contributor Author

Thanks. I'll give that a try when I'm back in the office tomorrow.

@thelateperseus
Copy link
Contributor Author

@tristantarrant I got an error about not being able to download a JAR when I ran mvn clean install -DskipTests. I had to add -s maven-settings.xml to get it to work.

mvn verify -pl spring/spring5/spring5-embedded -s maven-settings.xml results in lots of test failures related to XML parsing (see below).

  <testcase classname="org.infinispan.spring.embedded.config.InfinispanEmbeddedCacheManagerDefinitionTest" name="springTestContextPrepareTestInstance" time="0.061">
    <failure type="java.lang.IllegalStateException" message="Failed to load ApplicationContext">
      <![CDATA[java.lang.IllegalStateException: Failed to load ApplicationContext
at org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate.loadContext(DefaultCacheAwareContextLoaderDelegate.java:125)
at org.springframework.test.context.support.DefaultTestContext.getApplicationContext(DefaultTestContext.java:108)
at org.springframework.test.context.support.DependencyInjectionTestExecutionListener.injectDependencies(DependencyInjectionTestExecutionListener.java:118)
at org.springframework.test.context.support.DependencyInjectionTestExecutionListener.prepareTestInstance(DependencyInjectionTestExecutionListener.java:83)
at org.springframework.test.context.TestContextManager.prepareTestInstance(TestContextManager.java:246)
at org.springframework.test.context.testng.AbstractTestNGSpringContextTests.springTestContextPrepareTestInstance(AbstractTestNGSpringContextTests.java:145)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 8 in XML document from class path resource [org/infinispan/spring/embedded/config/InfinispanEmbeddedCacheManagerDefinitionTest-context.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 8; columnNumber: 42; cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'infinispan:embedded-cache-manager'.
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:404)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:336)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:304)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:188)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:224)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:195)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:257)
at org.springframework.test.context.support.AbstractGenericContextLoader.loadBeanDefinitions(AbstractGenericContextLoader.java:257)
at org.springframework.test.context.support.AbstractGenericContextLoader.loadContext(AbstractGenericContextLoader.java:124)
at org.springframework.test.context.support.AbstractGenericContextLoader.loadContext(AbstractGenericContextLoader.java:60)
at org.springframework.test.context.support.AbstractDelegatingSmartContextLoader.delegateLoading(AbstractDelegatingSmartContextLoader.java:275)
at org.springframework.test.context.support.AbstractDelegatingSmartContextLoader.loadContext(AbstractDelegatingSmartContextLoader.java:243)
at org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate.loadContextInternal(DefaultCacheAwareContextLoaderDelegate.java:99)
at org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate.loadContext(DefaultCacheAwareContextLoaderDelegate.java:117)
... 26 more
Caused by: org.xml.sax.SAXParseException; lineNumber: 8; columnNumber: 42; cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'infinispan:embedded-cache-manager'.
at java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204)
at java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:135)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:396)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:327)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:284)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(XMLSchemaValidator.java:511)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaError(XMLSchemaValidator.java:3587)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:2143)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.emptyElement(XMLSchemaValidator.java:849)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:351)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2710)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:112)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:534)
at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:888)
at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:824)
at java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
at java.xml/com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:246)
at java.xml/com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:339)
at org.springframework.beans.factory.xml.DefaultDocumentLoader.loadDocument(DefaultDocumentLoader.java:77)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadDocument(XmlBeanDefinitionReader.java:434)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:392)
... 39 more
... Removed 17 stack frames]]>
    </failure>
  </testcase>
 <!-- springTestContextPrepareTestInstance -->

However, mvn test -Dtest=InfinispanEmbeddedSessionRepositoryTest -pl spring/spring5/spring5-embedded -s maven-settings.xml completes successfully, so I assume that means my changes compile and test successfully.

karesti
karesti requested changes May 29, 2019
View reviewed changes
Copy link
Contributor

@karesti karesti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I opened a JIRA ticket to use it in the message.
I'm not sure about using deleteById method in the case of a sessionId changed (instead of deleting from infinispan) I need to check this with spring session people

.../src/main/java/org/infinispan/spring/common/session/AbstractInfinispanSessionRepository.java
if (valueWrapper == null) {
return;
}
MapSession mapSession = (MapSession) valueWrapper.get();
if (mapSession != null) {
applicationEventPublisher.emitSessionDeletedEvent(mapSession);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure we need to send a session deleted event when the id has changed. I need to double check this behavior with spring session people.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Grabbing a look to other code I know that we should not call deleteById but remove the entry from the repository using Infinispan remove and skip notifications. I will add a commit with the correction soon

karesti
karesti requested changes Jun 4, 2019
View reviewed changes
.../src/main/java/org/infinispan/spring/common/session/AbstractInfinispanSessionRepository.java
if (valueWrapper == null) {
return;
}
MapSession mapSession = (MapSession) valueWrapper.get();
if (mapSession != null) {
applicationEventPublisher.emitSessionDeletedEvent(mapSession);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Grabbing a look to other code I know that we should not call deleteById but remove the entry from the repository using Infinispan remove and skip notifications. I will add a commit with the correction soon

@karesti karesti closed this Jun 10, 2019
@karesti
Copy link
Contributor

karesti commented Jun 10, 2019

closing in favor of #7025

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@karesti karesti karesti requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@thelateperseus @tristantarrant @karesti