pac4j: untrustated data

- don't allow to set encoded data outside of pac4j internals

Author: jknack

modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/Pac4jSession.java

@@ -0,0 +1,134 @@
+package io.jooby.internal.pac4j;
+
+import io.jooby.*;
+import io.jooby.pac4j.Pac4jUntrustedDataFound;
+
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import java.time.Instant;
+import java.util.Map;
+
+class Pac4jSession  implements Session {
+  public static final String PAC4J = "p4j~";
+
+  public static final String BIN = "b64~";
+
+  private final Session session;
+
+  public Pac4jSession(@Nonnull Session session) {
+    this.session = session;
+  }
+
+  @Nullable
+  public String getId() {
+    return session.getId();
+  }
+
+  @Nonnull
+  public Value get(@Nonnull String name) {
+    return session.get(name);
+  }
+
+  @Nonnull
+  public Instant getLastAccessedTime() {
+    return session.getLastAccessedTime();
+  }
+
+  public void destroy() {
+    session.destroy();
+  }
+
+  @Nonnull
+  public Session setId(String id) {
+    session.setId(id);
+    return this;
+  }
+
+  @Nonnull
+  public Value remove(@Nonnull String name) {
+    return session.remove(name);
+  }
+
+  public boolean isNew() {
+    return session.isNew();
+  }
+
+  @Nonnull
+  public Session setNew(boolean isNew) {
+    session.setNew(isNew);
+    return this;
+  }
+
+  @Nonnull
+  public Session setLastAccessedTime(@Nonnull Instant lastAccessedTime) {
+    session.setLastAccessedTime(lastAccessedTime);
+    return this;
+  }
+
+  public boolean isModify() {
+    return session.isModify();
+  }
+
+  @Nonnull
+  public Session setCreationTime(@Nonnull Instant creationTime) {
+    session.setCreationTime(creationTime);
+    return this;
+  }
+
+  @Nonnull
+  public Session setModify(boolean modify) {
+    session.setModify(modify);
+    return this;
+  }
+
+  public Session renewId() {
+    session.renewId();
+    return this;
+  }
+
+  @Nonnull
+  public Instant getCreationTime() {
+    return session.getCreationTime();
+  }
+
+  @Nonnull
+  public Map<String, String> toMap() {
+    return session.toMap();
+  }
+
+  public Session clear() {
+    session.clear();
+    return this;
+  }
+
+  public Session getSession() {
+    return session;
+  }
+
+  public static Context create(Context ctx) {
+    return new ForwardingContext(ctx) {
+      @Nonnull
+      @Override
+      public Session session() {
+        return new Pac4jSession(super.session());
+      }
+
+      @Override
+      public Session sessionOrNull() {
+        Session session =  super.sessionOrNull();
+        return session == null ? null : new Pac4jSession(session);
+      }
+    };
+  }
+
+  @Nonnull
+  @Override
+  public Session put(@Nonnull String name, @Nonnull String value) {
+    if (value != null) {
+      if (value.startsWith(PAC4J) || value.startsWith(BIN)) {
+        throw new Pac4jUntrustedDataFound(name);
+      }
+    }
+    return session.put(name, value);
+  }
+}

modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java

@@ -6,7 +6,6 @@
 package io.jooby.internal.pac4j;
 
 import io.jooby.Session;
-import io.jooby.SneakyThrows;
 import io.jooby.Value;
 import io.jooby.pac4j.Pac4jContext;
 import org.pac4j.core.context.session.SessionStore;
@@ -21,13 +20,9 @@
 import org.pac4j.core.exception.http.UnauthorizedAction;
 import org.pac4j.core.exception.http.WithContentAction;
 import org.pac4j.core.exception.http.WithLocationAction;
+import org.pac4j.core.util.JavaSerializationHelper;
 
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
-import java.util.Base64;
+import java.io.*;
 import java.util.Optional;
 
 import static io.jooby.StatusCode.BAD_REQUEST_CODE;
@@ -42,16 +37,19 @@
 public class SessionStoreImpl
     implements org.pac4j.core.context.session.SessionStore<Pac4jContext> {
 
-  private static final String PAC4J = "p4j~";
-
-  private static final String BIN = "b64~";
-
   private Session getSession(Pac4jContext context) {
-    return context.getContext().session();
+    return session(context.getContext().session());
+  }
+
+  private Session session(Session session) {
+    if (session instanceof Pac4jSession) {
+      return ((Pac4jSession) session).getSession();
+    }
+    return session;
   }
 
   private Optional<Session> getSessionOrEmpty(Pac4jContext context) {
-    return Optional.ofNullable(context.getContext().sessionOrNull());
+    return Optional.ofNullable(session(context.getContext().sessionOrNull()));
   }
 
   @Override public String getOrCreateSessionId(Pac4jContext context) {
@@ -94,7 +92,7 @@ private Optional<Session> getSessionOrEmpty(Pac4jContext context) {
   }
 
   @Override public boolean renewSession(Pac4jContext context) {
-    //getSessionOrEmpty(context).ifPresent(session -> session.renewId());
+    getSessionOrEmpty(context).ifPresent(Session::renewId);
     return true;
   }
 
@@ -103,15 +101,11 @@ static Optional<Object> strToObject(final Value node) {
       return Optional.empty();
     }
     String value = node.value();
-    if (value.startsWith(BIN)) {
-      try {
-        byte[] bytes = Base64.getDecoder().decode(value.substring(BIN.length()));
-        return Optional.of(new ObjectInputStream(new ByteArrayInputStream(bytes)).readObject());
-      } catch (Exception x) {
-        throw SneakyThrows.propagate(x);
-      }
-    } else if (value.startsWith(PAC4J)) {
-      return Optional.of(strToAction(value.substring(PAC4J.length())));
+    if (value.startsWith(Pac4jSession.BIN)) {
+       JavaSerializationHelper helper = new JavaSerializationHelper();
+       return Optional.of(helper.deserializeFromBase64(value.substring(Pac4jSession.BIN.length())));
+    } else if (value.startsWith(Pac4jSession.PAC4J)) {
+      return Optional.of(strToAction(value.substring(Pac4jSession.PAC4J.length())));
     }
     return Optional.of(value);
   }
@@ -121,21 +115,17 @@ static String objToStr(final Object value) {
       return value.toString();
     } else if (value instanceof HttpAction) {
       return actionToStr((HttpAction) value);
-    }
-    try {
-      ByteArrayOutputStream bytes = new ByteArrayOutputStream();
-      ObjectOutputStream stream = new ObjectOutputStream(bytes);
-      stream.writeObject(value);
-      stream.flush();
-      return BIN + Base64.getEncoder().encodeToString(bytes.toByteArray());
-    } catch (IOException x) {
-      throw SneakyThrows.propagate(x);
+    } else if (value instanceof Serializable) {
+      JavaSerializationHelper helper = new JavaSerializationHelper();
+      return Pac4jSession.BIN + helper.serializeToBase64((Serializable) value);
+    } else {
+      throw new UnsupportedOperationException("Unsupported type: " + value.getClass().getName());
     }
   }
 
   private static String actionToStr(HttpAction action) {
     StringBuilder buffer = new StringBuilder();
-    buffer.append(PAC4J).append(action.getCode());
+    buffer.append(Pac4jSession.PAC4J).append(action.getCode());
     if (action instanceof WithContentAction) {
       buffer.append(":").append(((WithContentAction) action).getContent());
     } else if (action instanceof WithLocationAction) {

modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/UntrustedSessionDataDetector.java

@@ -0,0 +1,20 @@
+package io.jooby.internal.pac4j;
+
+import io.jooby.Route;
+import io.jooby.Session;
+
+import javax.annotation.Nonnull;
+
+public class UntrustedSessionDataDetector implements Route.Decorator {
+  @Nonnull
+  @Override
+  public Route.Handler apply(@Nonnull Route.Handler next) {
+    return ctx -> {
+      Session session = ctx.sessionOrNull();
+      if (session instanceof Pac4jSession) {
+        return session;
+      }
+      return session == null ? next.apply(ctx) : next.apply(Pac4jSession.create(ctx));
+    };
+  }
+}

modules/jooby-pac4j/src/main/java/io/jooby/pac4j/Pac4jModule.java

@@ -5,23 +5,8 @@
  */
 package io.jooby.pac4j;
 
-import io.jooby.Context;
-import io.jooby.Extension;
-import io.jooby.Jooby;
-import io.jooby.Route;
-import io.jooby.Router;
-import io.jooby.StatusCode;
-import io.jooby.internal.pac4j.ActionAdapterImpl;
-import io.jooby.internal.pac4j.CallbackFilterImpl;
-import io.jooby.internal.pac4j.ClientReference;
-import io.jooby.internal.pac4j.DevLoginForm;
-import io.jooby.internal.pac4j.ForwardingAuthorizer;
-import io.jooby.internal.pac4j.LogoutImpl;
-import io.jooby.internal.pac4j.NoopAuthorizer;
-import io.jooby.internal.pac4j.Pac4jCurrentUser;
-import io.jooby.internal.pac4j.SavedRequestHandlerImpl;
-import io.jooby.internal.pac4j.SecurityFilterImpl;
-import io.jooby.internal.pac4j.UrlResolverImpl;
+import io.jooby.*;
+import io.jooby.internal.pac4j.*;
 import org.pac4j.core.authorization.authorizer.Authorizer;
 import org.pac4j.core.client.Client;
 import org.pac4j.core.client.Clients;
@@ -488,6 +473,8 @@ public Pac4jModule client(@Nonnull Class<? extends Authorizer> authorizer,
       pac4j.setSecurityLogic(newSecurityLogic(excludes));
     }
 
+    application.decorator(new UntrustedSessionDataDetector());
+
     /** For each client to a specific path, add a security handler. */
     for (Map.Entry<String, List<ClientReference>> entry : allClients.entrySet()) {
       String pattern = entry.getKey();

modules/jooby-pac4j/src/main/java/io/jooby/pac4j/Pac4jUntrustedDataFound.java

@@ -0,0 +1,15 @@
+package io.jooby.pac4j;
+
+import io.jooby.StatusCode;
+import io.jooby.exception.StatusCodeException;
+
+/**
+ * Occurs when sensitive encoded data is set outside pac4j internals.
+ *
+ * @since 2.16.6
+ */
+public class Pac4jUntrustedDataFound extends StatusCodeException {
+  public Pac4jUntrustedDataFound(String message) {
+    super(StatusCode.FORBIDDEN, message);
+  }
+}