Minor refactor of CsrfSecurityRequestMatcher

- use plain string comparison instead of regexp
- Simplify data structures

Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
master
jvoisin 5 years ago committed by Andrew DeMaria
parent d61a00e830
commit d17c00115a
No known key found for this signature in database
GPG Key ID: 0A3F5E91F8364EDF
  1. 26
      airsonic-main/src/main/java/org/airsonic/player/security/CsrfSecurityRequestMatcher.java

@ -6,9 +6,8 @@ import org.springframework.stereotype.Component;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import java.util.ArrayList; import java.util.Arrays;
import java.util.Collection; import java.util.List;
import java.util.regex.Pattern;
/** /**
* See * See
@ -20,24 +19,21 @@ import java.util.regex.Pattern;
*/ */
@Component @Component
public class CsrfSecurityRequestMatcher implements RequestMatcher { public class CsrfSecurityRequestMatcher implements RequestMatcher {
private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$"); static private List<String> allowedMethods = Arrays.asList("GET", "HEAD", "TRACE", "OPTIONS");
private Collection<RegexRequestMatcher> whiteListedMatchers; private List<RegexRequestMatcher> whiteListedMatchers;
public CsrfSecurityRequestMatcher() { public CsrfSecurityRequestMatcher() {
Collection<RegexRequestMatcher> whiteListedMatchers = new ArrayList<>(); this.whiteListedMatchers = Arrays.asList(
whiteListedMatchers.add(new RegexRequestMatcher("/dwr/.*\\.dwr", "POST")); new RegexRequestMatcher("/dwr/.*\\.dwr", "POST"),
whiteListedMatchers.add(new RegexRequestMatcher("/rest/.*\\.view(\\?.*)?", "POST")); new RegexRequestMatcher("/rest/.*\\.view(\\?.*)?", "POST"),
whiteListedMatchers.add(new RegexRequestMatcher("/search(?:\\.view)?", "POST")); new RegexRequestMatcher("/search(?:\\.view)?", "POST")
this.whiteListedMatchers = whiteListedMatchers; );
} }
@Override @Override
public boolean matches(HttpServletRequest request) { public boolean matches(HttpServletRequest request) {
boolean skipCSRF = allowedMethods.contains(request.getMethod()) ||
boolean skipCSRF = whiteListedMatchers.stream().anyMatch(matcher -> matcher.matches(request));
allowedMethods.matcher(request.getMethod()).matches() ||
whiteListedMatchers.stream().anyMatch(matcher -> matcher.matches(request));
return !skipCSRF; return !skipCSRF;
} }
} }
Loading…
Cancel
Save