public void filter()

in redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java [393:468]

• 72 lines of code
• 14 McCabe index (conditional complexity)

    public void filter( ContainerRequestContext containerRequestContext )
        throws IOException
    {

        if ( enabled )
        {

            final String requestPath = containerRequestContext.getUriInfo( ).getPath( );
            if (ignoreAuth( requestPath )) {
                return;
            }

            HttpServletRequest request = getRequest();
            List<URL> targetUrls = getTargetUrl( request );
            if ( targetUrls == null )
            {
                log.error( "Could not verify target URL." );
                containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
                return;
            }
            List<HeaderValidationInfo> validationInfos = new ArrayList<HeaderValidationInfo>();
            boolean targetMatch = false;
            boolean noHeader = true;
            for ( URL targetUrl : targetUrls )
            {
                log.trace( "Checking against target URL: {}", targetUrl );
                HeaderValidationInfo info = checkSourceRequestHeader( new HeaderValidationInfo( targetUrl ), request );
                // We need only one match
                noHeader = noHeader && info.getStatus() == info.UNKNOWN;
                if ( info.getStatus() == info.OK )
                {
                    targetMatch = true;
                    break;
                }
                else
                {
                    validationInfos.add( info );
                }
            }
            if ( noHeader && denyAbsentHeaders )
            {
                log.warn( "Request denied. No Origin or Referer header found and {}=true",
                    UserConfigurationKeys.REST_CSRF_ABSENTORIGIN_DENY );
                containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
                return;
            }
            if ( !targetMatch )
            {
                log.warn( "HTTP Header check failed. Assuming CSRF attack." );
                for ( HeaderValidationInfo info : validationInfos )
                {
                    if ( info.hasOriginError() )
                    {
                        log.warn(
                            "Origin Header does not match: originUrl={}, targetUrl={}. Matches: Host={}, Port={}, Protocol={}",
                            info.originUrl, info.targetUrl, ( info.getStatus() & info.F_ORIGIN_HOST ) == 0,
                            ( info.getStatus() & info.F_ORIGIN_PORT ) == 0,
                            ( info.getStatus() & info.F_ORIGIN_PROTOCOL ) == 0 );
                    }
                    if ( info.hasRefererError() )
                    {
                        log.warn(
                            "Referer Header does not match: refererUrl={}, targetUrl={}. Matches: Host={}, Port={}",
                            info.refererUrl, info.targetUrl, ( info.getStatus() & info.F_REFERER_HOST ) == 0,
                            ( info.getStatus() & info.F_REFERER_PORT ) == 0 );
                    }
                }
                containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
                return;
            }
            if ( checkToken )
            {
                checkValidationToken( containerRequestContext, request );
            }
        }
    }