[NC-1742] PR fixes. Extra test.

PegaSysEng · Dec 6, 2018 · 2231735 · 2231735
1 parent eabf381
commit 2231735
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 3 deletions.
diff --git a/...um/jsonrpc/src/main/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcConfiguration.java b/...um/jsonrpc/src/main/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcConfiguration.java
@@ -89,7 +89,7 @@ public void addRpcApi(final RpcApi rpcApi) {
  }
 
  public Collection<String> getHostsWhitelist() {
- return this.hostsWhitelist;
+ return Collections.unmodifiableCollection(this.hostsWhitelist);
  }
 
  public void setHostsWhitelist(final Collection<String> hostsWhitelist) {

diff --git a/...reum/jsonrpc/src/main/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcHttpService.java b/...reum/jsonrpc/src/main/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcHttpService.java
@@ -13,6 +13,7 @@
 package tech.pegasys.pantheon.ethereum.jsonrpc;
 
 import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.collect.Streams.stream;
 import static java.util.stream.Collectors.toList;
 import static tech.pegasys.pantheon.util.NetworkUtility.urlForSocketAddress;
 
@@ -171,8 +172,7 @@ public CompletableFuture<?> start() {
 
  private Handler<RoutingContext> checkWhitelistHostHeader() {
  return event -> {
- Optional<String> hostHeader =
- Optional.ofNullable(Iterables.get(Splitter.on(':').split(event.request().host()), 0));
+ Optional<String> hostHeader = getAndValidateHostHeader(event);
  if (config.getHostsWhitelist().contains("*")
  || (hostHeader.isPresent() && hostIsInWhitelist(hostHeader))) {
  event.next();
@@ -186,6 +186,18 @@ private Handler<RoutingContext> checkWhitelistHostHeader() {
  };
  }
 
+ private Optional<String> getAndValidateHostHeader(final RoutingContext event) {
+ Iterable<String> splitHostHeader = Splitter.on(':').split(event.request().host());
+ long hostPieces = stream(splitHostHeader).count();
+ if (hostPieces > 1) {
+ // If the host contains a colon, verify the host is correctly formed - host [ ":" port ]
+ if (hostPieces > 2 || !Iterables.get(splitHostHeader, 1).matches("\\d{1,5}+")) {
+ return Optional.empty();
+ }
+ }
+ return Optional.ofNullable(Iterables.get(splitHostHeader, 0));
+ }
+
  private boolean hostIsInWhitelist(final Optional<String> hostHeader) {
  return config
  .getHostsWhitelist()

diff --git a/...test/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcHttpServiceHostWhitelistTest.java b/...test/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcHttpServiceHostWhitelistTest.java
@@ -138,6 +138,7 @@ public void requestWithAnyHostnameAndWildcardConfigIsAccepted() throws IOExcepti
  public void requestWithWhitelistedHostIsAccepted() throws IOException {
  jsonRpcConfig.setHostsWhitelist(hostsWhitelist);
  assertThat(doRequest("ally")).isEqualTo(200);
+ assertThat(doRequest("ally:12345")).isEqualTo(200);
  assertThat(doRequest("friend")).isEqualTo(200);
  }
 
@@ -157,4 +158,12 @@ private int doRequest(final String hostname) throws IOException {
  new Request.Builder().post(body).url(baseUrl).addHeader("Host", hostname).build();
  return client.newCall(build).execute().code();
  }
+
+ @Test
+ public void requestWithMalformedHostIsRejected() throws IOException {
+ jsonRpcConfig.setHostsWhitelist(hostsWhitelist);
+ assertThat(doRequest("ally:friend")).isEqualTo(403);
+ assertThat(doRequest("ally:123456")).isEqualTo(403);
+ assertThat(doRequest("ally:friend:1234")).isEqualTo(403);
+ }
 }