Add safeguards to all cookie text fields (#32)

RayDNoper · web-flow · commit f41097cca969 · 2024-05-30T11:12:53.000+03:00
diff --git a/src/main/java/ee/eesti/authentication/configuration/jwt/JwtUtils.java b/src/main/java/ee/eesti/authentication/configuration/jwt/JwtUtils.java
@@ -149,12 +149,12 @@ public Cookie getJwtCookie(SignedJWT signedJWT) {
     public Cookie getLegacySessionCookie(HttpServletRequest request, SessionsEntity sessionsEntity, boolean alwaysCreateCookie) {
 
         Supplier<Cookie> cookieSupplier = () -> {
-            Cookie sessionCookie = new Cookie(legacyPortalIntegrationConfig.getSessionCookieName(),
-                    sessionsEntity.getSessionId().replaceAll("[\n\r]+"," "));
+            Cookie sessionCookie = new Cookie(removeNewlines(legacyPortalIntegrationConfig.getSessionCookieName()),
+                    removeNewlines(sessionsEntity.getSessionId()));
             sessionCookie.setHttpOnly(true);
             sessionCookie.setSecure(secureCookie);
             sessionCookie.setPath("/");
-            sessionCookie.setDomain(legacyPortalIntegrationConfig.getSessionCookieDomain());
+            sessionCookie.setDomain(removeNewlines(legacyPortalIntegrationConfig.getSessionCookieDomain()));
             return sessionCookie;
         };
 
@@ -268,5 +268,8 @@ public static RSAKey getJwtSignKeyFromKeystore(String keyStoreType, InputStream
         return (RSAKey) jwkSet.getKeyByKeyId(keyAlias);
     }
 
+    public static String removeNewlines(String in) {
+        return in.replaceAll("[\n\r]+"," ");
+    }
 
 }
diff --git a/src/main/java/ee/eesti/authentication/controller/CustomJwtController.java b/src/main/java/ee/eesti/authentication/controller/CustomJwtController.java
@@ -92,10 +92,10 @@ public ResponseEntity<?> createCustomJwtToken(@RequestBody @Valid CustomJwtToken
             return emptyOkResponse;
         }
 
-        Cookie cookie = new Cookie(request.getJwtName(), signedJWT.serialize().replaceAll("[\n\r]+"," "));
+        Cookie cookie = new Cookie(JwtUtils.removeNewlines(request.getJwtName()), JwtUtils.removeNewlines(signedJWT.serialize()));
         cookie.setHttpOnly(true);
         cookie.setSecure(secureCookie);
-        cookie.setDomain(legacyPortalIntegrationConfig.getSessionCookieDomain().replaceAll("[\n\r]+"," "));
+        cookie.setDomain(JwtUtils.removeNewlines(legacyPortalIntegrationConfig.getSessionCookieDomain()));
 
         response.addCookie(cookie);
 
diff --git a/src/main/java/ee/eesti/authentication/controller/JwtController.java b/src/main/java/ee/eesti/authentication/controller/JwtController.java
@@ -431,11 +431,11 @@ public ResponseEntity<?> performBlacklist(
     }
 
     private void removeCookie(HttpServletResponse response, Cookie c, String domain, String path) {
-        Cookie cookie = new Cookie(c.getName(), null);
-        cookie.setDomain(domain.replaceAll("[\n\r]+"," "));
+        Cookie cookie = new Cookie(JwtUtils.removeNewlines(c.getName()), null);
+        cookie.setDomain(JwtUtils.removeNewlines(domain));
         cookie.setMaxAge(0);
         cookie.setSecure(c.getSecure());
-        cookie.setPath(path.replaceAll("[\n\r]+"," "));
+        cookie.setPath(JwtUtils.removeNewlines(path));
         response.addCookie(cookie);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -431,11 +431,11 @@ public ResponseEntity<?> performBlacklist(`
`431`	`431`	`}`
`432`	`432`
`433`	`433`	`private void removeCookie(HttpServletResponse response, Cookie c, String domain, String path) {`
`434`		`- Cookie cookie = new Cookie(c.getName(), null);`
`435`		`- cookie.setDomain(domain.replaceAll("[\n\r]+"," "));`
	`434`	`+ Cookie cookie = new Cookie(JwtUtils.removeNewlines(c.getName()), null);`
	`435`	`+ cookie.setDomain(JwtUtils.removeNewlines(domain));`
`436`	`436`	`cookie.setMaxAge(0);`
`437`	`437`	`cookie.setSecure(c.getSecure());`
`438`		`- cookie.setPath(path.replaceAll("[\n\r]+"," "));`
	`438`	`+ cookie.setPath(JwtUtils.removeNewlines(path));`
`439`	`439`	`response.addCookie(cookie);`
`440`	`440`	`}`
`441`	`441`