This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 11.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit c19589b7a4243589ae18439783181a59e3dbf47a Author: Mark Thomas <[email protected]> AuthorDate: Thu Oct 2 10:02:01 2025 +0100 SWitch tests to use CIDR apart from explicit regex tests --- .../catalina/filters/TestRemoteIpFilter.java | 62 ++++---- .../apache/catalina/valves/TestRemoteIpValve.java | 173 ++++++++++----------- 2 files changed, 111 insertions(+), 124 deletions(-) diff --git a/test/org/apache/catalina/filters/TestRemoteIpFilter.java b/test/org/apache/catalina/filters/TestRemoteIpFilter.java index 5596722c12..879c55dae4 100644 --- a/test/org/apache/catalina/filters/TestRemoteIpFilter.java +++ b/test/org/apache/catalina/filters/TestRemoteIpFilter.java @@ -260,7 +260,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest { // PREPARE FilterDef filterDef = new FilterDef(); filterDef.addInitParameter("internalProxies", "192\\.168\\.0\\.10|192\\.168\\.0\\.11"); - filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3"); + filterDef.addInitParameter("trustedProxies", "200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for"); filterDef.addInitParameter("proxiesHeader", "x-forwarded-by"); @@ -291,7 +291,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest { // PREPARE FilterDef filterDef = new FilterDef(); filterDef.addInitParameter("internalProxies", "192\\.168\\.0\\.10|192\\.168\\.0\\.11"); - filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3"); + filterDef.addInitParameter("trustedProxies", "200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for"); filterDef.addInitParameter("proxiesHeader", "x-forwarded-by"); @@ -323,8 +323,8 @@ public class TestRemoteIpFilter extends TomcatBaseTest { // PREPARE RemoteIpFilter remoteIpFilter = new RemoteIpFilter(); FilterDef filterDef = new FilterDef(); - filterDef.addInitParameter("internalProxies", "192\\.168\\.0\\.10|192\\.168\\.0\\.11"); - filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3"); + filterDef.addInitParameter("internalProxies", "192.168.0.10/31"); + filterDef.addInitParameter("trustedProxies", "200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for"); filterDef.addInitParameter("proxiesHeader", "x-forwarded-by"); @@ -333,7 +333,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest { request.setRemoteAddr("192.168.0.10"); request.setRemoteHost("remote-host-original-value"); - request.setHeader("x-forwarded-for", "140.211.11.130, proxy1, proxy2"); + request.setHeader("x-forwarded-for", "140.211.11.130, 200.0.0.1, 200.0.0.2"); // TEST HttpServletRequest actualRequest = testRemoteIpFilter(filterDef, request).getRequest(); @@ -343,7 +343,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest { Assert.assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by"); - Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1,proxy2", + Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "200.0.0.1,200.0.0.2", actualXForwardedBy); String actualRemoteAddr = actualRequest.getRemoteAddr(); @@ -360,16 +360,16 @@ public class TestRemoteIpFilter extends TomcatBaseTest { RemoteIpFilter remoteIpFilter = new RemoteIpFilter(); FilterDef filterDef = new FilterDef(); filterDef.addInitParameter("internalProxies", ""); - filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3"); + filterDef.addInitParameter("trustedProxies", "200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for"); filterDef.addInitParameter("proxiesHeader", "x-forwarded-by"); filterDef.setFilter(remoteIpFilter); MockHttpServletRequest request = new MockHttpServletRequest(); - request.setRemoteAddr("proxy3"); + request.setRemoteAddr("200.0.0.3"); request.setRemoteHost("remote-host-original-value"); - request.setHeader("x-forwarded-for", "140.211.11.130, proxy1, proxy2"); + request.setHeader("x-forwarded-for", "140.211.11.130, 200.0.0.1, 200.0.0.2"); // TEST HttpServletRequest actualRequest = testRemoteIpFilter(filterDef, request).getRequest(); @@ -379,7 +379,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest { Assert.assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by"); - Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1,proxy2,proxy3", + Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "200.0.0.1,200.0.0.2,200.0.0.3", actualXForwardedBy); String actualRemoteAddr = actualRequest.getRemoteAddr(); @@ -395,16 +395,16 @@ public class TestRemoteIpFilter extends TomcatBaseTest { // PREPARE RemoteIpFilter remoteIpFilter = new RemoteIpFilter(); FilterDef filterDef = new FilterDef(); - filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3"); + filterDef.addInitParameter("trustedProxies", "200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for"); filterDef.addInitParameter("proxiesHeader", "x-forwarded-by"); filterDef.setFilter(remoteIpFilter); MockHttpServletRequest request = new MockHttpServletRequest(); - request.setRemoteAddr("proxy3"); + request.setRemoteAddr("200.0.0.3"); request.setRemoteHost("remote-host-original-value"); - request.setHeader("x-forwarded-for", "140.211.11.130, proxy1, proxy2"); + request.setHeader("x-forwarded-for", "140.211.11.130, 200.0.0.1, 200.0.0.2"); // TEST HttpServletRequest actualRequest = testRemoteIpFilter(filterDef, request).getRequest(); @@ -414,7 +414,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest { Assert.assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by"); - Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1,proxy2,proxy3", + Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "200.0.0.1,200.0.0.2,200.0.0.3", actualXForwardedBy); String actualRemoteAddr = actualRequest.getRemoteAddr(); @@ -429,8 +429,8 @@ public class TestRemoteIpFilter extends TomcatBaseTest { // PREPARE FilterDef filterDef = new FilterDef(); - filterDef.addInitParameter("internalProxies", "127\\.0\\.0\\.1|192\\.168\\..*|another-internal-proxy"); - filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3"); + filterDef.addInitParameter("internalProxies", "127.0.0.1,192.168.0.0/16,10.0.0.1"); + filterDef.addInitParameter("trustedProxies", "200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for"); filterDef.addInitParameter("proxiesHeader", "x-forwarded-by"); @@ -438,8 +438,8 @@ public class TestRemoteIpFilter extends TomcatBaseTest { request.setRemoteAddr("192.168.0.10"); request.setRemoteHost("remote-host-original-value"); request.addHeader("x-forwarded-for", "140.211.11.130"); - request.addHeader("x-forwarded-for", "proxy1"); - request.addHeader("x-forwarded-for", "proxy2"); + request.addHeader("x-forwarded-for", "200.0.0.1"); + request.addHeader("x-forwarded-for", "200.0.0.2"); // TEST HttpServletRequest actualRequest = testRemoteIpFilter(filterDef, request).getRequest(); @@ -449,7 +449,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest { Assert.assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by"); - Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1,proxy2", + Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "200.0.0.1,200.0.0.2", actualXForwardedBy); String actualRemoteAddr = actualRequest.getRemoteAddr(); @@ -464,8 +464,8 @@ public class TestRemoteIpFilter extends TomcatBaseTest { // PREPARE FilterDef filterDef = new FilterDef(); - filterDef.addInitParameter("internalProxies", "192\\.168\\.0\\.10|192\\.168\\.0\\.11"); - filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3"); + filterDef.addInitParameter("internalProxies", "192.168.0.10/31"); + filterDef.addInitParameter("trustedProxies", "200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for"); filterDef.addInitParameter("proxiesHeader", "x-forwarded-by"); @@ -473,7 +473,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest { request.setRemoteAddr("192.168.0.10"); request.setRemoteHost("remote-host-original-value"); - request.setHeader("x-forwarded-for", "140.211.11.130, proxy1, proxy2, 192.168.0.10, 192.168.0.11"); + request.setHeader("x-forwarded-for", "140.211.11.130, 200.0.0.1, 200.0.0.2, 192.168.0.10, 192.168.0.11"); // TEST HttpServletRequest actualRequest = testRemoteIpFilter(filterDef, request).getRequest(); @@ -483,7 +483,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest { Assert.assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by"); - Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1,proxy2", + Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "200.0.0.1,200.0.0.2", actualXForwardedBy); String actualRemoteAddr = actualRequest.getRemoteAddr(); @@ -498,7 +498,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest { // PREPARE FilterDef filterDef = new FilterDef(); filterDef.addInitParameter("internalProxies", "192\\.168\\.0\\.10|192\\.168\\.0\\.11"); - filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3"); + filterDef.addInitParameter("trustedProxies", "200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for"); filterDef.addInitParameter("proxiesHeader", "x-forwarded-by"); @@ -506,14 +506,14 @@ public class TestRemoteIpFilter extends TomcatBaseTest { request.setRemoteAddr("not-allowed-internal-proxy"); request.setRemoteHost("not-allowed-internal-proxy-host"); - request.setHeader("x-forwarded-for", "140.211.11.130, proxy1, proxy2"); + request.setHeader("x-forwarded-for", "140.211.11.130, 200.0.0.1, 200.0.0.2"); // TEST HttpServletRequest actualRequest = testRemoteIpFilter(filterDef, request).getRequest(); // VERIFY String actualXForwardedFor = actualRequest.getHeader("x-forwarded-for"); - Assert.assertEquals("x-forwarded-for must be unchanged", "140.211.11.130, proxy1, proxy2", actualXForwardedFor); + Assert.assertEquals("x-forwarded-for must be unchanged", "140.211.11.130, 200.0.0.1, 200.0.0.2", actualXForwardedFor); String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by"); Assert.assertNull("x-forwarded-by must be null", actualXForwardedBy); @@ -529,8 +529,8 @@ public class TestRemoteIpFilter extends TomcatBaseTest { public void testInvokeUntrustedProxyInTheChain() throws Exception { // PREPARE FilterDef filterDef = new FilterDef(); - filterDef.addInitParameter("internalProxies", "192\\.168\\.0\\.10|192\\.168\\.0\\.11"); - filterDef.addInitParameter("trustedProxies", "proxy1|proxy2|proxy3"); + filterDef.addInitParameter("internalProxies", "192.168.0.10/31"); + filterDef.addInitParameter("trustedProxies", "200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); filterDef.addInitParameter("remoteIpHeader", "x-forwarded-for"); filterDef.addInitParameter("proxiesHeader", "x-forwarded-by"); @@ -538,18 +538,18 @@ public class TestRemoteIpFilter extends TomcatBaseTest { request.setRemoteAddr("192.168.0.10"); request.setRemoteHost("remote-host-original-value"); - request.setHeader("x-forwarded-for", "140.211.11.130, proxy1, untrusted-proxy, proxy2"); + request.setHeader("x-forwarded-for", "140.211.11.130, 200.0.0.1, untrusted-proxy, 200.0.0.2"); // TEST HttpServletRequest actualRequest = testRemoteIpFilter(filterDef, request).getRequest(); // VERIFY String actualXForwardedFor = actualRequest.getHeader("x-forwarded-for"); - Assert.assertEquals("ip/host before untrusted-proxy must appear in x-forwarded-for", "140.211.11.130,proxy1", + Assert.assertEquals("ip/host before untrusted-proxy must appear in x-forwarded-for", "140.211.11.130,200.0.0.1", actualXForwardedFor); String actualXForwardedBy = actualRequest.getHeader("x-forwarded-by"); - Assert.assertEquals("ip/host after untrusted-proxy must appear in x-forwarded-by", "proxy2", + Assert.assertEquals("ip/host after untrusted-proxy must appear in x-forwarded-by", "200.0.0.2", actualXForwardedBy); String actualRemoteAddr = actualRequest.getRemoteAddr(); diff --git a/test/org/apache/catalina/valves/TestRemoteIpValve.java b/test/org/apache/catalina/valves/TestRemoteIpValve.java index 4d35fb55cc..d2dbaf8a59 100644 --- a/test/org/apache/catalina/valves/TestRemoteIpValve.java +++ b/test/org/apache/catalina/valves/TestRemoteIpValve.java @@ -117,8 +117,8 @@ public class TestRemoteIpValve { public void testInvokeAllowedRemoteAddrWithNullRemoteIpHeader() throws Exception { // PREPARE RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); - remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); + remoteIpValve.setInternalProxies("192.168.0.10/31"); + remoteIpValve.setTrustedProxies("200.0.0.1, 200.0.0.2, 200.0.0.3"); remoteIpValve.setRemoteIpHeader("x-forwarded-for"); remoteIpValve.setProxiesHeader("x-forwarded-by"); RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); @@ -157,8 +157,8 @@ public class TestRemoteIpValve { // PREPARE RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setInternalProxies("192\\.168\\.0\\.10|192\\.168\\.0\\.11"); - remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3"); + remoteIpValve.setInternalProxies("192.168.0.10/31"); + remoteIpValve.setTrustedProxies("200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); remoteIpValve.setRemoteIpHeader("x-forwarded-for"); remoteIpValve.setProxiesHeader("x-forwarded-by"); RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); @@ -168,7 +168,7 @@ public class TestRemoteIpValve { request.setRemoteAddr("192.168.0.10"); request.setRemoteHost("remote-host-original-value"); request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for") - .setString("140.211.11.130, proxy1, proxy2"); + .setString("140.211.11.130, 200.0.0.1, 200.0.0.2"); // TEST remoteIpValve.invoke(request, null); @@ -178,7 +178,7 @@ public class TestRemoteIpValve { Assert.assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); String actualXForwardedBy = remoteAddrAndHostTrackerValve.getForwardedBy(); - Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1,proxy2", + Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "200.0.0.1,200.0.0.2", actualXForwardedBy); String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); @@ -200,17 +200,17 @@ public class TestRemoteIpValve { // PREPARE RemoteIpValve remoteIpValve = new RemoteIpValve(); remoteIpValve.setInternalProxies(""); - remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3"); + remoteIpValve.setTrustedProxies("200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); remoteIpValve.setRemoteIpHeader("x-forwarded-for"); remoteIpValve.setProxiesHeader("x-forwarded-by"); RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); remoteIpValve.setNext(remoteAddrAndHostTrackerValve); Request request = new MockRequest(new org.apache.coyote.Request()); - request.setRemoteAddr("proxy3"); + request.setRemoteAddr("200.0.0.3"); request.setRemoteHost("remote-host-original-value"); request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for") - .setString("140.211.11.130, proxy1, proxy2"); + .setString("140.211.11.130, 200.0.0.1, 200.0.0.2"); // TEST remoteIpValve.invoke(request, null); @@ -220,7 +220,7 @@ public class TestRemoteIpValve { Assert.assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); String actualXForwardedBy = remoteAddrAndHostTrackerValve.getForwardedBy(); - Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1,proxy2,proxy3", + Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "200.0.0.1,200.0.0.2,200.0.0.3", actualXForwardedBy); String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); @@ -230,7 +230,7 @@ public class TestRemoteIpValve { Assert.assertEquals("remoteHost", "140.211.11.130", actualRemoteHost); String actualPostInvokeRemoteAddr = request.getRemoteAddr(); - Assert.assertEquals("postInvoke remoteAddr", "proxy3", actualPostInvokeRemoteAddr); + Assert.assertEquals("postInvoke remoteAddr", "200.0.0.3", actualPostInvokeRemoteAddr); String actualPostInvokeRemoteHost = request.getRemoteHost(); Assert.assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); @@ -241,17 +241,17 @@ public class TestRemoteIpValve { // PREPARE RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3"); + remoteIpValve.setTrustedProxies("200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); remoteIpValve.setRemoteIpHeader("x-forwarded-for"); remoteIpValve.setProxiesHeader("x-forwarded-by"); RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); remoteIpValve.setNext(remoteAddrAndHostTrackerValve); Request request = new MockRequest(new org.apache.coyote.Request()); - request.setRemoteAddr("proxy3"); + request.setRemoteAddr("200.0.0.3"); request.setRemoteHost("remote-host-original-value"); request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for") - .setString("140.211.11.130, proxy1, proxy2"); + .setString("140.211.11.130, 200.0.0.1, 200.0.0.2"); // TEST remoteIpValve.invoke(request, null); @@ -261,7 +261,7 @@ public class TestRemoteIpValve { Assert.assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); String actualXForwardedBy = remoteAddrAndHostTrackerValve.getForwardedBy(); - Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1,proxy2,proxy3", + Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "200.0.0.1,200.0.0.2,200.0.0.3", actualXForwardedBy); String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); @@ -271,7 +271,7 @@ public class TestRemoteIpValve { Assert.assertEquals("remoteHost", "140.211.11.130", actualRemoteHost); String actualPostInvokeRemoteAddr = request.getRemoteAddr(); - Assert.assertEquals("postInvoke remoteAddr", "proxy3", actualPostInvokeRemoteAddr); + Assert.assertEquals("postInvoke remoteAddr", "200.0.0.3", actualPostInvokeRemoteAddr); String actualPostInvokeRemoteHost = request.getRemoteHost(); Assert.assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); @@ -282,8 +282,8 @@ public class TestRemoteIpValve { // PREPARE RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setInternalProxies("192\\.168\\.0\\.10|192\\.168\\.0\\.11"); - remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3"); + remoteIpValve.setInternalProxies("192.168.0.10/31"); + remoteIpValve.setTrustedProxies("200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); remoteIpValve.setRemoteIpHeader("x-forwarded-for"); remoteIpValve.setProxiesHeader("x-forwarded-by"); RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); @@ -293,7 +293,7 @@ public class TestRemoteIpValve { request.setRemoteAddr("192.168.0.10"); request.setRemoteHost("remote-host-original-value"); request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for") - .setString("140.211.11.130, proxy1, proxy2, 192.168.0.10, 192.168.0.11"); + .setString("140.211.11.130, 200.0.0.1, 200.0.0.2, 192.168.0.10, 192.168.0.11"); // TEST remoteIpValve.invoke(request, null); @@ -303,7 +303,7 @@ public class TestRemoteIpValve { Assert.assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); String actualXForwardedBy = remoteAddrAndHostTrackerValve.getForwardedBy(); - Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1,proxy2", + Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "200.0.0.1,200.0.0.2", actualXForwardedBy); String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); @@ -324,8 +324,8 @@ public class TestRemoteIpValve { // PREPARE RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setInternalProxies("192\\.168\\.0\\.10|192\\.168\\.0\\.11"); - remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3"); + remoteIpValve.setInternalProxies("192.168.0.10/31"); + remoteIpValve.setTrustedProxies("200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); remoteIpValve.setRemoteIpHeader("x-forwarded-for"); remoteIpValve.setProxiesHeader("x-forwarded-by"); RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); @@ -365,8 +365,8 @@ public class TestRemoteIpValve { // PREPARE RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setInternalProxies("127\\.0\\.0\\.1|192\\.168\\..*|another-internal-proxy"); - remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3"); + remoteIpValve.setInternalProxies("127.0.0.1,192.168.0.0/16,10.0.0.1"); + remoteIpValve.setTrustedProxies("200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); remoteIpValve.setRemoteIpHeader("x-forwarded-for"); remoteIpValve.setProxiesHeader("x-forwarded-by"); RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); @@ -376,8 +376,8 @@ public class TestRemoteIpValve { request.setRemoteAddr("192.168.0.10"); request.setRemoteHost("remote-host-original-value"); request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130"); - request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("proxy1"); - request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("proxy2"); + request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("200.0.0.1"); + request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("200.0.0.2"); // TEST remoteIpValve.invoke(request, null); @@ -387,7 +387,7 @@ public class TestRemoteIpValve { Assert.assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); String actualXForwardedBy = remoteAddrAndHostTrackerValve.getForwardedBy(); - Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1,proxy2", + Assert.assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "200.0.0.1,200.0.0.2", actualXForwardedBy); String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); @@ -408,8 +408,6 @@ public class TestRemoteIpValve { // PREPARE RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setInternalProxies( - "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}"); remoteIpValve.setRemoteIpHeader("x-forwarded-for"); remoteIpValve.setProtocolHeader("x-forwarded-proto"); RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); @@ -954,8 +952,8 @@ public class TestRemoteIpValve { public void testInvokeNotAllowedRemoteAddr() throws Exception { // PREPARE RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setInternalProxies("192\\.168\\.0\\.10|192\\.168\\.0\\.11"); - remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3"); + remoteIpValve.setInternalProxies("192.168.0.10/31"); + remoteIpValve.setTrustedProxies("200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); remoteIpValve.setRemoteIpHeader("x-forwarded-for"); remoteIpValve.setProxiesHeader("x-forwarded-by"); RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); @@ -965,14 +963,14 @@ public class TestRemoteIpValve { request.setRemoteAddr("not-allowed-internal-proxy"); request.setRemoteHost("not-allowed-internal-proxy-host"); request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for") - .setString("140.211.11.130, proxy1, proxy2"); + .setString("140.211.11.130, 200.0.0.1, 200.0.0.2"); // TEST remoteIpValve.invoke(request, null); // VERIFY String actualXForwardedFor = request.getHeader("x-forwarded-for"); - Assert.assertEquals("x-forwarded-for must be unchanged", "140.211.11.130, proxy1, proxy2", actualXForwardedFor); + Assert.assertEquals("x-forwarded-for must be unchanged", "140.211.11.130, 200.0.0.1, 200.0.0.2", actualXForwardedFor); String actualXForwardedBy = request.getHeader("x-forwarded-by"); Assert.assertNull("x-forwarded-by must be null", actualXForwardedBy); @@ -994,8 +992,8 @@ public class TestRemoteIpValve { public void testInvokeUntrustedProxyInTheChain() throws Exception { // PREPARE RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setInternalProxies("192\\.168\\.0\\.10|192\\.168\\.0\\.11"); - remoteIpValve.setTrustedProxies("proxy1|proxy2|proxy3"); + remoteIpValve.setInternalProxies("192.168.0.10/31"); + remoteIpValve.setTrustedProxies("200.0.0.1/32,200.0.0.2/32,200.0.0.3/32"); remoteIpValve.setRemoteIpHeader("x-forwarded-for"); remoteIpValve.setProxiesHeader("x-forwarded-by"); RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); @@ -1005,18 +1003,18 @@ public class TestRemoteIpValve { request.setRemoteAddr("192.168.0.10"); request.setRemoteHost("remote-host-original-value"); request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for") - .setString("140.211.11.130, proxy1, untrusted-proxy, proxy2"); + .setString("140.211.11.130, 200.0.0.1, untrusted-proxy, 200.0.0.2"); // TEST remoteIpValve.invoke(request, null); // VERIFY String actualXForwardedFor = remoteAddrAndHostTrackerValve.getForwardedFor(); - Assert.assertEquals("ip/host before untrusted-proxy must appear in x-forwarded-for", "140.211.11.130,proxy1", + Assert.assertEquals("ip/host before untrusted-proxy must appear in x-forwarded-for", "140.211.11.130,200.0.0.1", actualXForwardedFor); String actualXForwardedBy = remoteAddrAndHostTrackerValve.getForwardedBy(); - Assert.assertEquals("ip/host after untrusted-proxy must appear in x-forwarded-by", "proxy2", + Assert.assertEquals("ip/host after untrusted-proxy must appear in x-forwarded-by", "200.0.0.2", actualXForwardedBy); String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); @@ -1106,61 +1104,6 @@ public class TestRemoteIpValve { request.getAttribute(Globals.REQUEST_FORWARDED_ATTRIBUTE)); } - @Test - public void testRequestForwardedForWithPortNumber() throws Exception { - - // PREPARE - RemoteIpValve remoteIpValve = new RemoteIpValve(); - RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); - remoteIpValve.setNext(remoteAddrAndHostTrackerValve); - - Request request = new MockRequest(new org.apache.coyote.Request()); - // client ip - request.setRemoteAddr("192.168.0.10"); - request.setRemoteHost("192.168.0.10"); - request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130:1234"); - // protocol - request.setServerPort(8080); - request.getCoyoteRequest().scheme().setString("http"); - - // TEST - remoteIpValve.invoke(request, null); - - // VERIFY - - Assert.assertEquals("140.211.11.130:1234", remoteAddrAndHostTrackerValve.getRemoteAddr()); - } - - @Test - public void testRequestForwardedForWithProxyPortNumber() throws Exception { - - // PREPARE - RemoteIpValve remoteIpValve = new RemoteIpValve(); - // remoteIpValve.setRemoteIpHeader("x-forwarded-for"); - // remoteIpValve.setProtocolHeader("x-forwarded-proto"); - RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); - remoteIpValve.setNext(remoteAddrAndHostTrackerValve); - - Request request = new MockRequest(new org.apache.coyote.Request()); - // client ip - request.setRemoteAddr("192.168.0.10"); - request.setRemoteHost("192.168.0.10"); - // Trust c.d - remoteIpValve.setTrustedProxies("foo\\.bar:123"); - request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for") - .setString("140.211.11.130:1234, foo.bar:123"); - // protocol - request.setServerPort(8080); - request.getCoyoteRequest().scheme().setString("http"); - - // TEST - remoteIpValve.invoke(request, null); - - // VERIFY - - Assert.assertEquals("140.211.11.130:1234", remoteAddrAndHostTrackerValve.getRemoteAddr()); - } - private void assertArrayEquals(String[] expected, String[] actual) { if (expected == null) { Assert.assertNull(actual); @@ -1179,6 +1122,50 @@ public class TestRemoteIpValve { @Test public void testInternalProxies() throws Exception { + RemoteIpValve remoteIpValve = new RemoteIpValve(); + NetMaskSet internalProxiesCidr = NetMaskSet.parse(remoteIpValve.getInternalProxies()); + + doTestNetMaskSet(internalProxiesCidr, "192.168.0.0", true); + + doTestNetMaskSet(internalProxiesCidr, "8.8.8.8", false); + doTestNetMaskSet(internalProxiesCidr, "100.62.0.0", false); + doTestNetMaskSet(internalProxiesCidr, "100.63.255.255", false); + doTestNetMaskSet(internalProxiesCidr, "100.64.0.0", true); + doTestNetMaskSet(internalProxiesCidr, "100.65.0.0", true); + doTestNetMaskSet(internalProxiesCidr, "100.68.0.0", true); + doTestNetMaskSet(internalProxiesCidr, "100.72.0.0", true); + doTestNetMaskSet(internalProxiesCidr, "100.88.0.0", true); + doTestNetMaskSet(internalProxiesCidr, "100.95.0.0", true); + doTestNetMaskSet(internalProxiesCidr, "100.102.0.0", true); + doTestNetMaskSet(internalProxiesCidr, "100.110.0.0", true); + doTestNetMaskSet(internalProxiesCidr, "100.126.0.0", true); + doTestNetMaskSet(internalProxiesCidr, "100.127.255.255", true); + doTestNetMaskSet(internalProxiesCidr, "100.128.0.0", false); + doTestNetMaskSet(internalProxiesCidr, "100.130.0.0", false); + // Bug 69600 - IPv6 RFC 4193 Unique Local IPv6 Unicast Addresses + doTestNetMaskSet(internalProxiesCidr, "fe79:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false); + doTestNetMaskSet(internalProxiesCidr, "fe80:0000:0000:0000:0000:0000:0000:0000", true); + doTestNetMaskSet(internalProxiesCidr, "fe80::", true); + doTestNetMaskSet(internalProxiesCidr, "fe80:0000:0000:0000:0000:0000:0000:0001", true); + doTestNetMaskSet(internalProxiesCidr, "fe80::1", true); + doTestNetMaskSet(internalProxiesCidr, "fe80:1234:5678:9abc:def0:1234:5678:9abc", true); + doTestNetMaskSet(internalProxiesCidr, "febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true); + doTestNetMaskSet(internalProxiesCidr, "fec0:0000:0000:0000:0000:0000:0000:0000", false); + doTestNetMaskSet(internalProxiesCidr, "fec0::", false); + // Bug 69600 - IPv6 RFC 4291 Link Local IPv6 Unicast Addresses + doTestNetMaskSet(internalProxiesCidr, "fbff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false); + doTestNetMaskSet(internalProxiesCidr, "fc00:0000:0000:0000:0000:0000:0000:0000", true); + doTestNetMaskSet(internalProxiesCidr, "fc00::", true); + doTestNetMaskSet(internalProxiesCidr, "fc00:0000:0000:0000:0000:0000:0000:0001", true); + doTestNetMaskSet(internalProxiesCidr, "fc00::1", true); + doTestNetMaskSet(internalProxiesCidr, "fc00:1234:5678:9abc:def0:1234:5678:9abc", true); + doTestNetMaskSet(internalProxiesCidr, "fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true); + doTestNetMaskSet(internalProxiesCidr, "fe00:0000:0000:0000:0000:0000:0000:0000", false); + doTestNetMaskSet(internalProxiesCidr, "fe00::", false); + } + + @Test + public void testInternalProxiesRegex() throws Exception { RemoteIpValve remoteIpValve = new RemoteIpValve(); // Regex equivalent of default remoteIpValve.setInternalProxies("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" + --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
