Introduced protections against HTTP header injection / smuggling attacks

2024-11-29 14:41:02 +00:00
1 changed files with 35 additions and 2 deletions
--- a/src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java
+++ b/src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java
@@ -1,5 +1,6 @@
 package stirling.software.SPDF.config.security;

+import io.github.pixee.security.Newlines;
 import java.io.IOException;
 import java.security.cert.X509Certificate;
 import java.util.*;
@@ -163,12 +164,31 @@ public class SecurityConfiguration {
            http.sessionManagement(
                    sessionManagement ->
                            sessionManagement
-                            .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                                    .maximumSessions(10)
                                    .maxSessionsPreventsLogin(false)
                                    .sessionRegistry(sessionRegistry)
-                                    .expiredUrl("/login?logout=true"));

+                                    .expiredUrl("/login?logout=true"))
+            .addFilterBefore(
+                    new ForceEagerSessionCreationFilter(), 
+                    SecurityContextHolderFilter.class)
+            .addFilterBefore(new ForceEagerSessionCreationFilter(), SecurityContextHolderFilter.class);
+            
+            http.addFilterBefore(new OncePerRequestFilter() {
+                @Override
+                protected void doFilterInternal(HttpServletRequest request, 
+                        HttpServletResponse response, FilterChain filterChain) 
+                        throws ServletException, IOException {
+                    
+                    if (request.getRequestURI().startsWith("/saml2")) {
+                        response.setHeader("Set-Cookie", 
+                            Newlines.stripAll(response.getHeader("Set-Cookie")
+                                .concat(";SameSite=None;Secure")));
+                    }
+                    filterChain.doFilter(request, response);
+                }
+            }, SessionManagementFilter.class);
+            
            http.authenticationProvider(daoAuthenticationProvider());
            http.requestCache(requestCache -> requestCache.requestCache(new NullRequestCache()));
            http.logout(
@@ -452,6 +472,19 @@ public class SecurityConfiguration {
                        .clientName("OIDC")
                        .build());
    }
+
+    @Bean
+    public CookieSerializer cookieSerializer() {
+        DefaultCookieSerializer serializer = new DefaultCookieSerializer();
+        serializer.setSameSite("None");
+        serializer.setUseSecureCookie(true); // Required when using SameSite=None
+        return serializer;
+    }
+
+    @Bean
+    public HttpSessionEventPublisher httpSessionEventPublisher() {
+        return new HttpSessionEventPublisher();
+    }
    
    @Bean
    @ConditionalOnProperty(