Referer header is an uri not url

orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilter.java

@@ -1,13 +1,16 @@
 package org.orcid.core.web.filters;
 
 import java.io.IOException;
+import java.net.URISyntaxException;
 
 import javax.annotation.Resource;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 /**
@@ -18,6 +21,8 @@
 
 public class CorsFilter extends OncePerRequestFilter {
 
+	private static Log log = LogFactory.getLog(CorsFilter.class);
+
 	@Resource
 	CrossDomainWebManger crossDomainWebManger;
 
@@ -28,11 +33,23 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 		if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
 			// CORS "pre-flight" request
 			response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
-			if(crossDomainWebManger.allowed(request)) {
-	                    response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,x-csrf-token");
-	                }else{
-	                    response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type, Accept");
-	                }
+
+			boolean allowCrossDomain = false;
+
+			try {
+				allowCrossDomain = crossDomainWebManger.allowed(request);
+			} catch (URISyntaxException e) {
+				String origin  = request.getHeader("origin");
+				String referer = request.getHeader("referer");
+				log.error("Unable to process your request due an invalid URI exception, please check your origin and request headers: origin = '" + origin + "' referer = '" + referer + "'" , e);
+				// Lets log the exception and assume cross domain call was rejected
+			}
+
+			if(allowCrossDomain) {
+				response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,x-csrf-token");
+			} else {
+				response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type, Accept");
+			}
 		}
 		filterChain.doFilter(request, response);
 	}

orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java

@@ -1,6 +1,7 @@
 package org.orcid.core.web.filters;
 
 import java.io.IOException;
+import java.net.URISyntaxException;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -10,6 +11,8 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.orcid.core.manager.impl.OrcidUrlManager;
 import org.orcid.pojo.ajaxForm.PojoUtil;
 import org.springframework.beans.factory.annotation.Value;
@@ -21,25 +24,34 @@
 
 public class CorsFilterWeb extends OncePerRequestFilter {
 
+    private static Log log = LogFactory.getLog(CorsFilterWeb.class);
+
     @Resource
     CrossDomainWebManger crossDomainWebManger;
 
-    @Value("${org.orcid.core.baseUri}")
+    @Value("${org.orcid.core.web.filters}")
     private String baseUri;
 
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
-        if (crossDomainWebManger.allowed(request)) {
-            String origin = request.getHeader("origin");
-            response.addHeader("Access-Control-Allow-Origin", origin);
-            response.addHeader("Access-Control-Allow-Credentials", "true");
-
-            if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
-                // CORS "pre-flight" request
-                response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
-                response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token,x-xsrf-token");
-                return;
+        try {
+            if (crossDomainWebManger.allowed(request)) {
+                String origin = request.getHeader("origin");
+                response.addHeader("Access-Control-Allow-Origin", origin);
+                response.addHeader("Access-Control-Allow-Credentials", "true");
+
+                if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
+                    // CORS "pre-flight" request
+                    response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
+                    response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token,x-xsrf-token");
+                    return;
+                }
             }
+        } catch (URISyntaxException e) {
+            String origin  = request.getHeader("origin");
+            String referer = request.getHeader("referer");
+            log.error("Unable to process your request due an invalid URI exception, please check your origin and request headers: origin = '" + origin + "' referer = '" + referer + "'" , e);
+            throw new ServletException("Unable to process your request due an invalid URI exception", e);
         }
 
         filterChain.doFilter(request, response);

orcid-core/src/main/java/org/orcid/core/web/filters/CrossDomainWebManger.java

@@ -1,6 +1,8 @@
 package org.orcid.core.web.filters;
 
 import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.util.ArrayList;
 import java.util.List;
@@ -24,7 +26,7 @@ public class CrossDomainWebManger {
 
     private List<String> domainsRegex;
 
-    public boolean allowed(HttpServletRequest request) throws MalformedURLException {
+    public boolean allowed(HttpServletRequest request) throws URISyntaxException {
         String path = OrcidUrlManager.getPathWithoutContextPath(request);
 
         // Check origin header
@@ -35,9 +37,10 @@ public boolean allowed(HttpServletRequest request) throws MalformedURLException
             } 
         } else {
             // Check referer header for localhost
-            if (!PojoUtil.isEmpty(request.getHeader("referer"))) {
-                URL netUrl = new URL(request.getHeader("referer"));
-                String domain = netUrl.getHost();
+            String referer = request.getHeader("referer");
+            if (!PojoUtil.isEmpty(referer)) {
+                URI uri = new URI(request.getHeader("referer"));
+                String domain = uri.getHost();
                 if (LOCALHOST.equals(domain)) {
                     return true;
                 }
@@ -52,12 +55,14 @@ public boolean allowed(HttpServletRequest request) throws MalformedURLException
         return false;
     }
 
-    public boolean validateDomain(String url) throws MalformedURLException {
-        URL netUrl = new URL(url);
-        String domain = netUrl.getHost();
-        for (String allowedDomain : getAllowedDomainsRegex()) {
-            if (domain.matches(allowedDomain)) {
-                return true;
+    public boolean validateDomain(String url) throws URISyntaxException {
+        URI uri = new URI(url);
+        String domain = uri.getHost();
+        if(domain != null) {
+            for (String allowedDomain : getAllowedDomainsRegex()) {
+                if (domain.matches(allowedDomain)) {
+                    return true;
+                }
             }
         }
         return false;
@@ -76,8 +81,7 @@ private List<String> getAllowedDomainsRegex() {
     }
 
     private String transformPatternIntoRegex(String domainPattern) {
-        String result = domainPattern.replace(".", "\\.");
-        return result;
+        return domainPattern.replace(".", "\\.");
     }
 
     public boolean validatePath(String path) {

orcid-core/src/main/java/org/orcid/core/web/filters/JsonpCallbackFilterWeb.java

@@ -2,6 +2,7 @@
 
 import java.io.IOException;
 import java.io.OutputStream;
+import java.net.URISyntaxException;
 import java.util.Map;
 
 import javax.annotation.Resource;
@@ -40,7 +41,19 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
         Map<String, String[]> parms = httpRequest.getParameterMap();
 
         if (parms.containsKey("callback")) {
-            if(crossDomainWebManger.allowed(request)) {
+
+            boolean allowCrossDomain = false;
+
+            try {
+                allowCrossDomain = crossDomainWebManger.allowed(request);
+            } catch (URISyntaxException e) {
+                String origin  = request.getHeader("origin");
+                String referer = request.getHeader("referer");
+                log.error("Unable to process your request due an invalid URI exception, please check your origin and request headers: origin = '" + origin + "' referer = '" + referer + "'" , e);
+                // Lets log the exception and assume this was rejected so it is not considered a JSONP call
+            }
+
+            if(allowCrossDomain) {
                 if (log.isDebugEnabled())
                     log.debug("Wrapping response with JSONP callback '" + parms.get("callback")[0] + "'");
 

orcid-core/src/test/java/org/orcid/core/web/filters/CrossDomainWebMangerTest.java

@@ -2,8 +2,9 @@
 
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
-import java.net.MalformedURLException;
+import java.net.URISyntaxException;
 
 import javax.annotation.Resource;
 
@@ -25,15 +26,15 @@ public class CrossDomainWebMangerTest {
     CrossDomainWebManger crossDomainWebManger;
 
     String [] allowedDomains = {"http://localhost", "https://localhost"};
-    String [] forbiddenDomains = {"http://.orcid.org", "http://www.otherorcid.org", "http://www.myorcid.org", "http://www.ihateorcid.org", "http://qa.ihateorcid.org", "https://.orcid.org", "https://www.otherorcid.org", "https://www.myorcid.org", "https://www.ihateorcid.org", "https://qa.ihateorcid.org"};
+    String [] forbiddenDomains = {"http://.orcid.org", "http://www.otherorcid.org", "http://www.myorcid.org", "http://www.testorcid.org", "http://qa.testorcid.org", "https://.orcid.org", "https://www.otherorcid.org", "https://www.myorcid.org", "https://www.testorcid.org", "https://qa.testorcid.org"};
 
     String [] allowedPaths = {"/lang.json","/userStatus.json","/oauth/userinfo","/oauth/jwks","/.well-known/openid-configuration"};
     String [] forbiddenPaths = {"/oauth","/whatever/oauth","/whatever/oauth/","/whatever/oauth/other",
             "/whatever/userStatus.json","/userstatus.json","/userStatus.json/","/userStatus.json/whatever",
             "/userStatus.jsonwhatever/test","/userStatus.json/whatever","/userStatus.jsonwhatever","/userStatus.jsonwhatever/test"};
 
     @Test
-    public void testDomains() throws MalformedURLException {
+    public void testDomains() throws URISyntaxException {
         for(String allowed : allowedDomains) {            
             assertTrue("testing: " +  allowed, crossDomainWebManger.validateDomain(allowed));
         }  
@@ -44,7 +45,7 @@ public void testDomains() throws MalformedURLException {
     }
 
     @Test
-    public void testPaths() throws MalformedURLException {
+    public void testPaths() throws URISyntaxException {
         for(String allowed : allowedPaths) {            
             assertTrue("testing: " +  allowed, crossDomainWebManger.validatePath(allowed));
         }