From ef4acdde247f7e0755d14c0edf9f8fd3f6040ace Mon Sep 17 00:00:00 2001 From: "marcin.sciesinski" Date: Fri, 1 May 2020 09:45:12 -0700 Subject: [PATCH] Added same Origin protection for API calls --- .../async/handler/RootUriRequestHandler.java | 82 +++++++++++-------- .../src/main/resources/gemp-lotr.properties | 2 + 2 files changed, 49 insertions(+), 35 deletions(-) diff --git a/gemp-lotr/gemp-lotr-async/src/main/java/com/gempukku/lotro/async/handler/RootUriRequestHandler.java b/gemp-lotr/gemp-lotr-async/src/main/java/com/gempukku/lotro/async/handler/RootUriRequestHandler.java index bced81344..60d50902c 100644 --- a/gemp-lotr/gemp-lotr-async/src/main/java/com/gempukku/lotro/async/handler/RootUriRequestHandler.java +++ b/gemp-lotr/gemp-lotr-async/src/main/java/com/gempukku/lotro/async/handler/RootUriRequestHandler.java @@ -9,6 +9,7 @@ import org.jboss.netty.handler.codec.http.HttpRequest; import java.lang.reflect.Type; import java.util.Collections; import java.util.Map; +import java.util.regex.Pattern; public class RootUriRequestHandler implements UriRequestHandler { private String _serverContextPath = "/gemp-lotr-server/"; @@ -34,8 +35,12 @@ public class RootUriRequestHandler implements UriRequestHandler { private MtgCardsRequestHandler _mtgCardsRequestHandler; private SoloDraftRequestHandler _soloDraftRequestHandler; + private Pattern originPattern; + public RootUriRequestHandler(Map context) { _webRequestHandler = new WebRequestHandler(ApplicationConfiguration.getProperty("web.path")); + String originAllowedPattern = ApplicationConfiguration.getProperty("origin.allowed.pattern"); + originPattern = Pattern.compile(originAllowedPattern); _hallRequestHandler = new HallRequestHandler(context); _deckRequestHandler = new DeckRequestHandler(context); _loginRequestHandler = new LoginRequestHandler(context); @@ -65,44 +70,51 @@ public class RootUriRequestHandler implements UriRequestHandler { _mtgCardsRequestHandler.handleRequest(uri, request, context, responseWriter, e); } else if (uri.equals("/gemp-lotr")) { responseWriter.writeError(301, Collections.singletonMap("Location", "/gemp-lotr/")); - } else if (uri.startsWith(_serverContextPath + "hall")) { - _hallRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "deck")) { - _deckRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "login")) { - _loginRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "register")) { - _registerRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "replay")) { - _replayRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "gameHistory")) { - _gameHistoryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "stats")) { - _serverStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "playerStats")) { - _playerStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "admin")) { - _adminRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "chat")) { - _chatRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "collection")) { - _collectionRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "delivery")) { - _deliveryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "game")) { - _gameRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "league")) { - _leagueRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "merchant")) { - _merchantRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "tournament")) { - _tournamentRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e); - } else if (uri.startsWith(_serverContextPath + "soloDraft")) { - _soloDraftRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 9), request, context, responseWriter, e); } else if (uri.equals(_serverContextPath)) { _statusRequestHandler.handleRequest(uri.substring(_serverContextPath.length()), request, context, responseWriter, e); } else { - throw new HttpProcessingException(404); + String origin = request.getHeader("Origin"); + if (origin == null || !originPattern.matcher(origin).matches()) + throw new HttpProcessingException(403); + + // These APIs are protected by same Origin protection + if (uri.startsWith(_serverContextPath + "hall")) { + _hallRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "deck")) { + _deckRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "login")) { + _loginRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "register")) { + _registerRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "replay")) { + _replayRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "gameHistory")) { + _gameHistoryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "stats")) { + _serverStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "playerStats")) { + _playerStatsRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 11), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "admin")) { + _adminRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 5), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "chat")) { + _chatRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "collection")) { + _collectionRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "delivery")) { + _deliveryRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "game")) { + _gameRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 4), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "league")) { + _leagueRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 6), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "merchant")) { + _merchantRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 8), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "tournament")) { + _tournamentRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 10), request, context, responseWriter, e); + } else if (uri.startsWith(_serverContextPath + "soloDraft")) { + _soloDraftRequestHandler.handleRequest(uri.substring(_serverContextPath.length() + 9), request, context, responseWriter, e); + } else { + throw new HttpProcessingException(404); + } } } } diff --git a/gemp-lotr/gemp-lotr-common/src/main/resources/gemp-lotr.properties b/gemp-lotr/gemp-lotr-common/src/main/resources/gemp-lotr.properties index 85c18060c..d1104dd5a 100644 --- a/gemp-lotr/gemp-lotr-common/src/main/resources/gemp-lotr.properties +++ b/gemp-lotr/gemp-lotr-common/src/main/resources/gemp-lotr.properties @@ -10,3 +10,5 @@ db.connection.validateQuery=/* ping */ select 1 port=80 web.path=/env/gemp-lotr/web/ + +origin.allowed.pattern=^http://www\\.gempukku\\.com$