From d17c00115aa40696325944cd6aaeeed3d903e225 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Mon, 7 Oct 2019 17:31:51 +0200 Subject: [PATCH] Minor refactor of CsrfSecurityRequestMatcher - use plain string comparison instead of regexp - Simplify data structures Signed-off-by: Andrew DeMaria --- .../security/CsrfSecurityRequestMatcher.java | 28 ++++++++----------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/airsonic-main/src/main/java/org/airsonic/player/security/CsrfSecurityRequestMatcher.java b/airsonic-main/src/main/java/org/airsonic/player/security/CsrfSecurityRequestMatcher.java index 8a624c6f..150a2a33 100644 --- a/airsonic-main/src/main/java/org/airsonic/player/security/CsrfSecurityRequestMatcher.java +++ b/airsonic-main/src/main/java/org/airsonic/player/security/CsrfSecurityRequestMatcher.java @@ -6,9 +6,8 @@ import org.springframework.stereotype.Component; import javax.servlet.http.HttpServletRequest; -import java.util.ArrayList; -import java.util.Collection; -import java.util.regex.Pattern; +import java.util.Arrays; +import java.util.List; /** * See @@ -20,24 +19,21 @@ import java.util.regex.Pattern; */ @Component public class CsrfSecurityRequestMatcher implements RequestMatcher { - private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$"); - private Collection whiteListedMatchers; + static private List allowedMethods = Arrays.asList("GET", "HEAD", "TRACE", "OPTIONS"); + private List whiteListedMatchers; public CsrfSecurityRequestMatcher() { - Collection whiteListedMatchers = new ArrayList<>(); - whiteListedMatchers.add(new RegexRequestMatcher("/dwr/.*\\.dwr", "POST")); - whiteListedMatchers.add(new RegexRequestMatcher("/rest/.*\\.view(\\?.*)?", "POST")); - whiteListedMatchers.add(new RegexRequestMatcher("/search(?:\\.view)?", "POST")); - this.whiteListedMatchers = whiteListedMatchers; + this.whiteListedMatchers = Arrays.asList( + new RegexRequestMatcher("/dwr/.*\\.dwr", "POST"), + new RegexRequestMatcher("/rest/.*\\.view(\\?.*)?", "POST"), + new RegexRequestMatcher("/search(?:\\.view)?", "POST") + ); } @Override public boolean matches(HttpServletRequest request) { - - boolean skipCSRF = - allowedMethods.matcher(request.getMethod()).matches() || - whiteListedMatchers.stream().anyMatch(matcher -> matcher.matches(request)); - + boolean skipCSRF = allowedMethods.contains(request.getMethod()) || + whiteListedMatchers.stream().anyMatch(matcher -> matcher.matches(request)); return !skipCSRF; } -} \ No newline at end of file +}