Minor refactor of CsrfSecurityRequestMatcher

- use plain string comparison instead of regexp - Simplify data structures Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
5 years ago · d17c00115a
parent d61a00e830
commit d17c00115a
1 changed files with 12 additions and 16 deletions
--- a/airsonic-main/src/main/java/org/airsonic/player/security/CsrfSecurityRequestMatcher.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/security/CsrfSecurityRequestMatcher.java
@ -6,9 +6,8 @@ import org.springframework.stereotype.Component;
 import javax.servlet.http.HttpServletRequest;
-import java.util.ArrayList;
+import java.util.Arrays;
-import java.util.Collection;
+import java.util.List;
 import java.util.regex.Pattern;
 /**
 * See
@ -20,24 +19,21 @@ import java.util.regex.Pattern;
 */
@Component
 public class CsrfSecurityRequestMatcher implements RequestMatcher {
-    private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
+    static private List<String> allowedMethods = Arrays.asList("GET", "HEAD", "TRACE", "OPTIONS");
-    private Collection<RegexRequestMatcher> whiteListedMatchers;
+    private List<RegexRequestMatcher> whiteListedMatchers;
    public CsrfSecurityRequestMatcher() {
-        Collection<RegexRequestMatcher> whiteListedMatchers = new ArrayList<>();
+        this.whiteListedMatchers = Arrays.asList(
-        whiteListedMatchers.add(new RegexRequestMatcher("/dwr/.*\\.dwr", "POST"));
+            new RegexRequestMatcher("/dwr/.*\\.dwr", "POST"),
-        whiteListedMatchers.add(new RegexRequestMatcher("/rest/.*\\.view(\\?.*)?", "POST"));
+            new RegexRequestMatcher("/rest/.*\\.view(\\?.*)?", "POST"),
-        whiteListedMatchers.add(new RegexRequestMatcher("/search(?:\\.view)?", "POST"));
+            new RegexRequestMatcher("/search(?:\\.view)?", "POST")
-        this.whiteListedMatchers = whiteListedMatchers;
+        );
    }
    @Override
    public boolean matches(HttpServletRequest request) {
-
+        boolean skipCSRF = allowedMethods.contains(request.getMethod()) ||
        boolean skipCSRF =
                allowedMethods.matcher(request.getMethod()).matches() ||
            whiteListedMatchers.stream().anyMatch(matcher -> matcher.matches(request));
        return !skipCSRF;
    }
 }