org.apache.commons.httpclient.URIException Java Examples

The following examples show how to use org.apache.commons.httpclient.URIException. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: GitLabSecurityRealm.java    From gitlab-oauth-plugin with MIT License 7 votes vote down vote up
/**
 * Returns the proxy to be used when connecting to the given URI.
 */
private HttpHost getProxy(HttpUriRequest method) throws URIException {
    Jenkins jenkins = Jenkins.getInstance();
    ProxyConfiguration proxy = jenkins.proxy;
    if (proxy == null) {
        return null; // defensive check
    }

    Proxy p = proxy.createProxy(method.getURI().getHost());
    switch (p.type()) {
        case DIRECT:
            return null; // no proxy
        case HTTP:
            InetSocketAddress sa = (InetSocketAddress) p.address();
            return new HttpHost(sa.getHostName(), sa.getPort());
        case SOCKS:
        default:
            return null; // not supported yet
    }
}
 
Example #2
Source File: MockStorageInterface.java    From hadoop with Apache License 2.0 6 votes vote down vote up
private String fullUriString(String relativePath, boolean withTrailingSlash) {
  String fullUri;

  String baseUri = this.baseUri;
  if (!baseUri.endsWith("/")) {
    baseUri += "/";
  }
  if (withTrailingSlash && !relativePath.equals("")
      && !relativePath.endsWith("/")) {
    relativePath += "/";
  }

  try {
    fullUri = baseUri + URIUtil.encodePath(relativePath);
  } catch (URIException e) {
    throw new RuntimeException("problem encoding fullUri", e);
  }

  return fullUri;
}
 
Example #3
Source File: InfoSessionIdUrlScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@Test
public void ignoreExposureToBookmark() throws HttpMalformedHeaderException, URIException {

    // Given
    String testURI = "https://example.com/foo?jsessionid=1A530637289A03B07199A44E8D531427";
    String body =
            "<html>\n<body>\n<h2>HTML Links</h2>\n"
                    + "<h2 id=\"C4\">Chapter 4</h2>"
                    + "<p><a href=\"#C4\">Jump to Chapter 4</a></p>\n"
                    + "</body>\n</html>";
    HttpMessage msg = createHttpMessageWithRespBody(body);
    msg.getRequestHeader().setURI(new URI(testURI, false));

    // When
    scanHttpResponseReceive(msg);

    // Then:
    // Passing means it detects the session ID in the URL (alert #1), but since the
    // href in the body is also self relative, it should not raise a 2nd alert.
    assertEquals(1, alertsRaised.size());
}
 
Example #4
Source File: UsableURIFactoryTest.java    From webarchive-commons with Apache License 2.0 6 votes vote down vote up
/**
 * Test for doubly-encoded sequences.
 * See <a href="https://sourceforge.net/tracker/index.php?func=detail&aid=966219&group_id=73833&atid=539099">[ 966219 ] UURI doubly-encodes %XX sequences</a>.
 * @throws URIException
 */
public final void testDoubleEncoding() throws URIException {
	final char ae = '\u00E6';
	final String uri = "http://archive.org/DIR WITH SPACES/home" +
	    ae + ".html";
	final String encodedUri =
		"http://archive.org/DIR%20WITH%20SPACES/home%E6.html";
	UsableURI uuri = UsableURIFactory.getInstance(uri, "ISO-8859-1");
	assertEquals("single encoding", encodedUri, uuri.toString());
	// Dbl-encodes.
	uuri = UsableURIFactory.getInstance(uuri.toString(), "ISO-8859-1");
	uuri = UsableURIFactory.getInstance(uuri.toString(), "ISO-8859-1");
	assertEquals("double encoding", encodedUri, uuri.toString());
	// Do default utf-8 test.
	uuri = UsableURIFactory.getInstance(uri);
	final String encodedUtf8Uri =
		"http://archive.org/DIR%20WITH%20SPACES/home%C3%A6.html";
	assertEquals("Not equal utf8", encodedUtf8Uri, uuri.toString());      
	// Now dbl-encode.
	uuri = UsableURIFactory.getInstance(uuri.toString());
	uuri = UsableURIFactory.getInstance(uuri.toString());
	assertEquals("Not equal (dbl-encoding) utf8", encodedUtf8Uri, uuri.toString());
}
 
Example #5
Source File: InformationDisclosureSuspiciousCommentsScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@Test
public void shouldAlertOnSuspiciousCommentInHtmlComments()
        throws HttpMalformedHeaderException, URIException {

    // Given
    String body =
            "<h1>Some text <!--Some Html comment FixMe: DO something --></h1>\n"
                    + "<b>No script here</b>\n";
    HttpMessage msg = createHttpMessageWithRespBody(body, "text/html;charset=ISO-8859-1");

    assertTrue(msg.getResponseHeader().isText());
    assertFalse(msg.getResponseHeader().isJavaScript());

    // When
    scanHttpResponseReceive(msg);

    // Then
    assertEquals(1, alertsRaised.size());
}
 
Example #6
Source File: ScanTarget.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
public ScanTarget(URI uri) {
    this.uri = copyURI(uri);

    this.scheme = uri.getScheme();

    try {
        this.host = uri.getHost();
    } catch (URIException e) {
        throw new IllegalArgumentException("Failed to get host from URI: " + e.getMessage(), e);
    }

    this.port = getPort(scheme, uri.getPort());

    try {
        this.uri.setPath(null);
        this.uri.setQuery(null);
        this.uri.setFragment(null);
    } catch (URIException ignore) {
        // It's safe to set the URI query, path and fragment components to null.
    }

    this.stringRepresentation = createHostPortString(host, port);
    buildHtmlStringRepresentation();
}
 
Example #7
Source File: InfoSessionIdUrlScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@Test
public void detectExposureTo3rdPartyUnquotedHREF()
        throws HttpMalformedHeaderException, URIException {

    // Given
    String testURI = "https://example.com/foo?jsessionid=1A530637289A03B07199A44E8D531427";
    String body =
            "<html>\n<body>\n<h2>HTML Links</h2>\n"
                    + "<p><a href=https://www.example.org/html/hello>Testing ZAP</a>"
                    + "</p>\n"
                    + "</body>\n</html>";
    HttpMessage msg = createHttpMessageWithRespBody(body);
    msg.getRequestHeader().setURI(new URI(testURI, false));

    // When
    scanHttpResponseReceive(msg);

    // Then
    assertEquals(2, alertsRaised.size());
}
 
Example #8
Source File: MessageContentUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@Test
public void shouldGetHostNode()
        throws URIException, DatabaseException, HttpMalformedHeaderException {

    // Given
    URI hostUri1 = new URI("https", null, defaultHostName.toString(), -1, "/first");
    WebSocketChannelDTO channel =
            getWebSocketChannelDTO(1, defaultHostName.toString(), hostUri1.toString());
    TreeNode hostNode = new WebSocketNode(root, new HostFolderContent(namer, channel));

    TreeNode messageNode =
            new WebSocketNode(
                    hostNode,
                    new MessageContent(namer, getTextOutgoingMessage(channel, "Test", 1)));

    // When
    List<TreeNode> actualHostList = messageNode.getHostNodes(new ArrayList<>());

    // Then
    assertEquals(1, actualHostList.size());
    assertEquals(hostNode, actualHostList.get(0));
}
 
Example #9
Source File: WebSocketProxy.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
private String getStatsBaseKey() {
    if (statsBaseKey == null) {
        // Make our best attempt at getting the same host name that other stats will use
        HistoryReference hsr = getHandshakeReference();
        if (hsr != null) {
            try {
                statsBaseKey = SessionStructure.getHostName(hsr.getURI());
            } catch (URIException e) {
                // Unlikely, but just in case
                statsBaseKey = "http://" + host;
            }
        } else {
            statsBaseKey = "http://" + host;
        }
    }
    return statsBaseKey;
}
 
Example #10
Source File: InformationDisclosureReferrerScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
protected HttpMessage createHttpMessageWithRespBody(String testReferer)
        throws HttpMalformedHeaderException, URIException {

    HttpRequestHeader requestHeader = new HttpRequestHeader();
    requestHeader.setURI(new URI(URI, false));
    requestHeader.setHeader("Referer", testReferer);

    HttpMessage msg = new HttpMessage();
    msg.setRequestHeader(requestHeader);
    msg.setResponseBody(BODY);
    msg.setResponseHeader(
            "HTTP/1.1 200 OK\r\n"
                    + "Server: Apache-Coyote/1.1\r\n"
                    + "Content-Type: text/plain\r\n"
                    + "Content-Length: "
                    + BODY.length()
                    + "\r\n");
    return msg;
}
 
Example #11
Source File: SourceCodeDisclosureCVE20121823.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
private static URI createAttackUri(URI originalURI, String attackParam) {
    StringBuilder strBuilder = new StringBuilder();
    strBuilder
            .append(originalURI.getScheme())
            .append("://")
            .append(originalURI.getEscapedAuthority());
    strBuilder
            .append(originalURI.getRawPath() != null ? originalURI.getEscapedPath() : "/")
            .append(attackParam);
    String uri = strBuilder.toString();
    try {
        return new URI(uri, true);
    } catch (URIException e) {
        log.warn("Failed to create attack URI [" + uri + "], cause: " + e.getMessage());
    }
    return null;
}
 
Example #12
Source File: InfoSessionIdUrlScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@Test
public void ignoreExposureToSelfRelativeLink()
        throws HttpMalformedHeaderException, URIException {

    // Given
    String testURI = "https://example.com/foo?jsessionid=1A530637289A03B07199A44E8D531427";
    String body =
            "<html>\n<body>\n<h2>HTML Links</h2>\n"
                    + "<p><a href=\"default.jsp\">\n"
                    + " <img src=\"smiley.gif\" alt=\"HTML tutorial\" "
                    + "style=\"width:42px;height:42px;border:0;\">\n</a>"
                    + "</p>\n"
                    + "</body>\n</html>";
    HttpMessage msg = createHttpMessageWithRespBody(body);
    msg.getRequestHeader().setURI(new URI(testURI, false));

    // When
    scanHttpResponseReceive(msg);

    // Then:
    // Passing means it detects the session ID in the URL (alert #1), but since the
    // href in the body is self relative, it should not raise a 2nd alert.
    assertEquals(1, alertsRaised.size());
}
 
Example #13
Source File: HttpClientConnection.java    From knopflerfish.org with BSD 3-Clause "New" or "Revised" License 6 votes vote down vote up
HttpClientConnection(final BundleContext bc,
                     final String url,
                     final int mode,
                     final boolean timeouts)
  throws URIException
{
  this.bc = bc;
  uri = new URI(url, false); // assume not escaped URIs
  ProxySelector.configureProxy(bc, client, url);

  final String timeoutString = bc.getProperty(TIMEOUT);
  if (timeoutString != null) {
    try {
      client.getParams().setSoTimeout(Integer.parseInt(timeoutString));
    } catch (NumberFormatException e) {
      throw new RuntimeException("Invalid timeout " + timeoutString);
    }
  }
}
 
Example #14
Source File: InfoSessionIdUrlScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@Test
@Disabled(value = "Scanner does not look for session IDs in the response embedded in HREFs")
public void containsSessionIdInResponseHREFParams()
        throws HttpMalformedHeaderException, URIException {

    // Given
    String testURI = "http://tld.gtld/fred?foo=bar";
    String body =
            "<html>\n<body>\n<h2>HTML Links</h2>\n"
                    + "<p><a href=\"https://www.example.org/html/?jsessionid=1A530637289A03B07199A44E8D531427\">Testing ZAP</a>"
                    + "</p>\n"
                    + "</body>\n</html>";
    HttpMessage msg = createHttpMessageWithRespBody(body);
    msg.getRequestHeader().setURI(new URI(testURI, false));

    // When
    scanHttpResponseReceive(msg);

    // Then
    assertEquals(1, alertsRaised.size());
}
 
Example #15
Source File: SolrQueryHTTPClient.java    From alfresco-repository with GNU Lesser General Public License v3.0 6 votes vote down vote up
protected JSONResult postSolrQuery(HttpClient httpClient, String url, JSONObject body, SolrJsonProcessor<?> jsonProcessor, String spellCheckParams)
            throws UnsupportedEncodingException, IOException, HttpException, URIException,
            JSONException
{
    JSONObject json = postQuery(httpClient, url, body);
    if (spellCheckParams != null)
    {
        SpellCheckDecisionManager manager = new SpellCheckDecisionManager(json, url, body, spellCheckParams);
        if (manager.isCollate())
        {
            json = postQuery(httpClient, manager.getUrl(), body);
        }
        json.put("spellcheck", manager.getSpellCheckJsonValue());
    }

        JSONResult results = jsonProcessor.getResult(json);

        if (s_logger.isDebugEnabled())
        {
            s_logger.debug("Sent :" + url);
            s_logger.debug("   with: " + body.toString());
            s_logger.debug("Got: " + results.getNumberFound() + " in " + results.getQueryTime() + " ms");
        }
        
        return results;
}
 
Example #16
Source File: UriUtils.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
/**
 * Returns a representation of the host name as used throughout ZAP. The representation contains
 * the scheme, the host and, if needed, the port. Method should be used to keep consistency
 * whenever displaying a node's hostname.
 *
 * <p>Example outputs:
 *
 * <ul>
 *   <li><i>http://example.org</i>
 *   <li><i>http://example.org:8080</i>
 *   <li><i>https://example.org</i>
 * </ul>
 *
 * @throws URIException
 */
public static String getHostName(URI uri) throws URIException {
    StringBuilder host = new StringBuilder();

    String scheme = uri.getScheme().toLowerCase();
    host.append(scheme).append("://").append(uri.getHost());
    int port = uri.getPort();
    if ((port != -1)
            && ((port == 80 && !"http".equals(scheme))
                    || (port == 443 && !"https".equals(scheme))
                    || (port != 80 && port != 443))) {
        host.append(":").append(port);
    }

    return host.toString();
}
 
Example #17
Source File: InformationDisclosureReferrerScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@Test
public void shouldRaiseAlertWhenSsnInReferer()
        throws HttpMalformedHeaderException, URIException {

    // Given
    String sensitiveParamName = "docid";
    String sensitiveValue = "000-00-0000";
    String testReferer =
            "http://example.org/?" + sensitiveParamName + "=" + sensitiveValue + "&hl=en";
    HttpMessage msg = createHttpMessageWithRespBody(testReferer);

    // When
    scanHttpRequestSend(msg);

    // Then
    assertEquals(1, alertsRaised.size());
    assertEquals(sensitiveValue, alertsRaised.get(0).getEvidence());
    assertEquals(
            Constant.messages.getString(
                    InformationDisclosureReferrerScanRule.MESSAGE_PREFIX + "otherinfo.ssn"),
            alertsRaised.get(0).getOtherInfo());
}
 
Example #18
Source File: CacheableScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@Test
public void shouldRaiseAlertStoreAndCacheableWhenStaleRetrieveAllowed()
        throws URIException, HttpMalformedHeaderException {
    // Given
    HttpMessage msg = createMessage();
    msg.setResponseHeader(
            "HTTP/1.1 200 OK\r\n"
                    + "Cache-Control: public\r\n"
                    + "Expires: Wed, 02 Oct 2019 06:00:00 GMT\r\n"
                    + "Date: Wed, 02 Oct 2019 07:00:00 GMT");

    // When
    scanHttpResponseReceive(msg);

    // Then
    assertStoreAndCacheable("");
}
 
Example #19
Source File: CsrfCountermeasuresScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@BeforeEach
public void before() throws URIException {
    antiCsrfTokenNames = new ArrayList<>();
    antiCsrfTokenNames.add("token");
    antiCsrfTokenNames.add("csrfToken");

    extensionAntiCSRFMock = mock(ExtensionAntiCSRF.class);
    Mockito.lenient()
            .when(extensionAntiCSRFMock.getAntiCsrfTokenNames())
            .thenReturn(antiCsrfTokenNames);

    rule.setExtensionAntiCSRF(extensionAntiCSRFMock);
    rule.setCsrfIgnoreList("");
    rule.setCSRFIgnoreAttName("");
    rule.setCSRFIgnoreAttValue("");

    HttpRequestHeader requestHeader = new HttpRequestHeader();
    requestHeader.setURI(new URI("http://example.com", false));

    msg = new HttpMessage();
    msg.setRequestHeader(requestHeader);
}
 
Example #20
Source File: InformationDisclosureReferrerScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
@Test
public void shouldRaiseAlertWhenCreditCardInReferer()
        throws HttpMalformedHeaderException, URIException {

    // Given
    String sensitiveParamName = "docid";
    String sensitiveValue = "6011000990139424";
    String testReferer =
            "http://example.org/?" + sensitiveParamName + "=" + sensitiveValue + "&hl=en";
    HttpMessage msg = createHttpMessageWithRespBody(testReferer);

    // When
    scanHttpRequestSend(msg);

    // Then
    assertEquals(1, alertsRaised.size());
    assertEquals(sensitiveValue, alertsRaised.get(0).getEvidence());
    assertEquals(
            Constant.messages.getString(
                            InformationDisclosureReferrerScanRule.MESSAGE_PREFIX
                                    + "otherinfo.cc")
                    + '\n'
                    + "Bank Identification Number: 601100"
                    + '\n'
                    + "Brand: DISCOVER"
                    + '\n'
                    + "Category: PLATINUM"
                    + '\n'
                    + "Issuer: DISCOVER",
            alertsRaised.get(0).getOtherInfo());
}
 
Example #21
Source File: ImportFromAbstractDialog.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
/** @return the Schema Uri, might be {@code null} */
protected URI getSchemaUri() {
    try {
        return new URI(fieldFrom.getText(), true);
    } catch (URIException e) {
        showWarningDialog(
                Constant.messages.getString(
                        MESSAGE_PREFIX + "url.invalid", fieldFrom.getText(), e.getMessage()));
        return null;
    }
}
 
Example #22
Source File: CacheableScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
private HttpMessage createMessageBasicAuthorization() throws URIException {
    HttpRequestHeader requestHeader = new HttpRequestHeader();
    requestHeader.setMethod("GET");
    requestHeader.setURI(new URI("https://example.com/fred/", false));
    requestHeader.addHeader(HttpHeader.AUTHORIZATION, "basic");

    HttpMessage msg = new HttpMessage();
    msg.setRequestHeader(requestHeader);
    return msg;
}
 
Example #23
Source File: CsrfCountermeasuresScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
@Test
public void shouldRaiseAlertWhenThresholdLowAndMessageOutOfScope() throws URIException {
    // Given
    rule.setCSRFIgnoreAttName("ignore");
    HttpMessage msg = createScopedMessage(false);
    // When
    rule.setConfig(new ZapXmlConfiguration());
    rule.setAlertThreshold(AlertThreshold.LOW);
    scanHttpResponseReceive(msg);
    // Then
    assertEquals(1, alertsRaised.size());
}
 
Example #24
Source File: SURTTokenizer.java    From webarchive-commons with Apache License 2.0 5 votes vote down vote up
/**
 * constructor
 * 
 * @param url String URL
 * @throws URIException 
 */
public SURTTokenizer(final String url) throws URIException {
	if(url.startsWith("(")) {
		remainder = url;
	} else {
		remainder = getKey(url,false);
	}
}
 
Example #25
Source File: HttpEncodingTools.java    From elasticsearch-hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * Splits the given string on the first '?' then encodes the first half as a path (ignoring slashes and colons)
 * and the second half as a query segment (ignoring questionmarks, equals signs, etc...).
 *
 * @deprecated Prefer to use {@link HttpEncodingTools#encode(String)} instead for encoding specific
 * pieces of the URI. This method does not escape certain reserved characters, like '/', ':', '=', and '?'.
 * As such, this is not safe to use on URIs that may contain these reserved characters in the wrong places.
 */
@Deprecated
public static String encodeUri(String uri) {
    try {
        return URIUtil.encodePathQuery(uri);
    } catch (URIException ex) {
        throw new EsHadoopIllegalArgumentException("Cannot escape uri [" + uri + "]", ex);
    }
}
 
Example #26
Source File: RetireUtil.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
public static String getFileName(URI uri) {
    try {
        return uri.getName();
    } catch (URIException e) {
        LOGGER.warn("There was an error parsing the URI", e);
    }
    return null;
}
 
Example #27
Source File: InsecureFormLoadScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
@Test
public void shouldNotRaiseAlertIfFormActionIsInsecure() throws URIException {
    // Given
    HttpMessage msg = createMessage();
    msg.setResponseBody(
            "<html><form name=\"someform\" action=\"http://example.com/processform\"></form</html>");
    // When
    scanHttpResponseReceive(msg);
    // Then
    assertThat(alertsRaised.size(), equalTo(0));
}
 
Example #28
Source File: UsableURIFactoryTest.java    From webarchive-commons with Apache License 2.0 5 votes vote down vote up
public void testSchemelessRelative() throws URIException {
    UsableURI base = UsableURIFactory.getInstance("http://www.itsnicethat.com/articles/laura-hobson");
    UsableURI test1 = UsableURIFactory.getInstance(base, "//www.facebook.com/plugins/like.php");
    assertEquals("schemaless relative 1", "http://www.facebook.com/plugins/like.php", test1.toString());
    // reported by Erin Staniland
    UsableURI test2 = UsableURIFactory.getInstance(base, "//www.facebook.com/plugins/like.php?href=http://www.itsnicethat.com/articles/laura-hobson");
    assertEquals("schemeless relative 2", "http://www.facebook.com/plugins/like.php?href=http://www.itsnicethat.com/articles/laura-hobson",
            test2.toString());
}
 
Example #29
Source File: InsecureFormPostScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
@Test
public void shouldRaiseAlertIfResponseFormIsInsecure() throws URIException {
    // Given
    HttpMessage msg = createMessage();
    msg.setResponseBody(
            "<html><form name=\"someform\" action=\"http://example.com/processform\"></form</html>");
    // When
    scanHttpResponseReceive(msg);
    // Then
    assertThat(alertsRaised.size(), equalTo(1));
}
 
Example #30
Source File: XBackendServerInformationLeakScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
private HttpMessage createMessage() throws URIException {
    HttpRequestHeader requestHeader = new HttpRequestHeader();
    requestHeader.setURI(new URI("http://example.com", false));

    HttpMessage msg = new HttpMessage();
    msg.setRequestHeader(requestHeader);
    return msg;
}