Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Keycloak should not allow matrix parameters in URLs as we don't use them #45534

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ahus1 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Keycloak should not allow matrix parameters in URLs as we don't use them #45534

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions docs/documentation/upgrading/topics/changes/changes-26_6_0.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,17 @@ Previously virtual threads were used when at least two CPU cores were available.
Starting with this version, virtual threads are only used when at least four CPU cores are available.
This change should prevent deadlocks due to pinned virtual threads.

=== Accepting URL paths without a semicolon

Previously {project_name} accepted HTTP requests with paths containing a semicolon (`;`).
When processing them, it handled them as of RFC 3986 as a separator for matrix parameters, which basically ignored those parts.
As this has led to a hard-to-configure URL filtering, for example, in reverse proxies, this is now disabled, and {project_name} responds with an HTTP 400 response code.

To analyze rejected requests in the server log, enable debug logging for `org.keycloak.quarkus.runtime.services.RejectNonNormalizedPathFilter`.

To revert to the previous behavior and to accept matrix parameters set the option `http-accept-non-normalized-paths` to `true`.
With this configuration, enable and review the HTTP access log to identify problematic requests.

// ------------------------ Deprecated features ------------------------ //
== Deprecated features

Expand Down
2 changes: 1 addition & 1 deletion quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ public enum ClientAuth {

public static final Option<Boolean> HTTP_ACCEPT_NON_NORMALIZED_PATHS = new OptionBuilder<>("http-accept-non-normalized-paths", Boolean.class)
.category(OptionCategory.HTTP)
.description("If the server should accept paths that are not normalized according to RFC3986 or that contain a double slash ('//'). While accepting those requests might be relevant for legacy applications, it is recommended to disable it to allow for more concise URL filtering.")
.description("If the server should accept paths that are not normalized according to RFC3986 or that contain a double slash ('//') or semicolon (';'). While accepting those requests might be relevant for legacy applications, it is recommended to disable it to allow for more concise URL filtering.")
.deprecated()
.defaultValue(Boolean.FALSE)
.build();
Expand Down
15 changes: 15 additions & 0 deletions ...me/src/main/java/org/keycloak/quarkus/runtime/services/RejectNonNormalizedPathFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,21 @@ public void handle(RoutingContext routingContext) {
jsonString = "";
}
routingContext.response().setStatusCode(400).end(jsonString);
} else if (routingContext.request().path().contains(";")) {
// RFC 6570 defines matrix parameters that are separated with a semicolon in each path segment.
// Keycloak does not use @MatrixParam, therefore any URL containing a semicolon is treated as invalid.
// Once Keycloak starts using them in any of its APIs, consider enabling them only for specific paths,
// as URL filtering would otherwise be quite hard for reverse proxies.
LOGGER.debugf("Invalid character ';' found in the request path", routingContext.request().path());
OAuth2ErrorRepresentation error = new OAuth2ErrorRepresentation("invalidCharacter", "Request path contains invalid character ';'");
routingContext.response().headers().add("Content-Type", "application/json; charset=UTF-8");
String jsonString;
try {
jsonString = MAPPER.writeValueAsString(error);
} catch (JsonProcessingException e) {
jsonString = "";
}
routingContext.response().setStatusCode(400).end(jsonString);
} else {
routingContext.next();
}
Expand Down
5 changes: 5 additions & 0 deletions quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/HttpDistTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
import io.quarkus.test.junit.main.Launch;
import org.junit.jupiter.api.Test;

import static io.restassured.RestAssured.given;
import static io.restassured.RestAssured.when;
import static org.hamcrest.CoreMatchers.hasItem;
import static org.hamcrest.CoreMatchers.not;
Expand Down Expand Up @@ -66,13 +67,17 @@ public void maxQueuedRequestsTest(KeycloakDistribution dist) {
public void preventNonNormalizedURLs() {
when().get("/realms/master").then().statusCode(200);
when().get("/realms/xxx/../master").then().statusCode(400);
given().urlEncodingEnabled(false)
.when().get("/realms/master;xxx").then().statusCode(400);
}

@Test
@Launch({"start-dev", "--http-access-log-enabled=true", "--http-accept-non-normalized-paths=true"})
public void allowNonNormalizedURLs() {
when().get("/realms/master").then().statusCode(200);
when().get("/realms/xxx/../master").then().statusCode(200);
given().urlEncodingEnabled(false)
.when().get("/realms/master;xxx").then().statusCode(200);
}

@Test
Expand Down
7 changes: 4 additions & 3 deletions ...keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,9 +221,10 @@ HTTP(S):

--http-accept-non-normalized-paths <true|false>
DEPRECATED. If the server should accept paths that are not normalized
according to RFC3986 or that contain a double slash ('//'). While accepting
those requests might be relevant for legacy applications, it is recommended
to disable it to allow for more concise URL filtering. Default: false.
according to RFC3986 or that contain a double slash ('//') or semicolon
(';'). While accepting those requests might be relevant for legacy
applications, it is recommended to disable it to allow for more concise URL
filtering. Default: false.
--http-enabled <true|false>
Enables the HTTP listener. Enabled by default in development mode. Typically
not enabled in production unless the server is fronted by a TLS termination
Expand Down
7 changes: 4 additions & 3 deletions ...cloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -291,9 +291,10 @@ HTTP(S):

--http-accept-non-normalized-paths <true|false>
DEPRECATED. If the server should accept paths that are not normalized
according to RFC3986 or that contain a double slash ('//'). While accepting
those requests might be relevant for legacy applications, it is recommended
to disable it to allow for more concise URL filtering. Default: false.
according to RFC3986 or that contain a double slash ('//') or semicolon
(';'). While accepting those requests might be relevant for legacy
applications, it is recommended to disable it to allow for more concise URL
filtering. Default: false.
--http-enabled <true|false>
Enables the HTTP listener. Enabled by default in development mode. Typically
not enabled in production unless the server is fronted by a TLS termination
Expand Down
7 changes: 4 additions & 3 deletions ...rg/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -269,9 +269,10 @@ HTTP(S):

--http-accept-non-normalized-paths <true|false>
DEPRECATED. If the server should accept paths that are not normalized
according to RFC3986 or that contain a double slash ('//'). While accepting
those requests might be relevant for legacy applications, it is recommended
to disable it to allow for more concise URL filtering. Default: false.
according to RFC3986 or that contain a double slash ('//') or semicolon
(';'). While accepting those requests might be relevant for legacy
applications, it is recommended to disable it to allow for more concise URL
filtering. Default: false.
--http-enabled <true|false>
Enables the HTTP listener. Enabled by default in development mode. Typically
not enabled in production unless the server is fronted by a TLS termination
Expand Down
7 changes: 4 additions & 3 deletions ...keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -292,9 +292,10 @@ HTTP(S):

--http-accept-non-normalized-paths <true|false>
DEPRECATED. If the server should accept paths that are not normalized
according to RFC3986 or that contain a double slash ('//'). While accepting
those requests might be relevant for legacy applications, it is recommended
to disable it to allow for more concise URL filtering. Default: false.
according to RFC3986 or that contain a double slash ('//') or semicolon
(';'). While accepting those requests might be relevant for legacy
applications, it is recommended to disable it to allow for more concise URL
filtering. Default: false.
--http-enabled <true|false>
Enables the HTTP listener. Enabled by default in development mode. Typically
not enabled in production unless the server is fronted by a TLS termination
Expand Down
7 changes: 4 additions & 3 deletions ...ak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -237,9 +237,10 @@ HTTP(S):

--http-accept-non-normalized-paths <true|false>
DEPRECATED. If the server should accept paths that are not normalized
according to RFC3986 or that contain a double slash ('//'). While accepting
those requests might be relevant for legacy applications, it is recommended
to disable it to allow for more concise URL filtering. Default: false.
according to RFC3986 or that contain a double slash ('//') or semicolon
(';'). While accepting those requests might be relevant for legacy
applications, it is recommended to disable it to allow for more concise URL
filtering. Default: false.
--http-enabled <true|false>
Enables the HTTP listener. Enabled by default in development mode. Typically
not enabled in production unless the server is fronted by a TLS termination
Expand Down
7 changes: 4 additions & 3 deletions ...it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -260,9 +260,10 @@ HTTP(S):

--http-accept-non-normalized-paths <true|false>
DEPRECATED. If the server should accept paths that are not normalized
according to RFC3986 or that contain a double slash ('//'). While accepting
those requests might be relevant for legacy applications, it is recommended
to disable it to allow for more concise URL filtering. Default: false.
according to RFC3986 or that contain a double slash ('//') or semicolon
(';'). While accepting those requests might be relevant for legacy
applications, it is recommended to disable it to allow for more concise URL
filtering. Default: false.
--http-enabled <true|false>
Enables the HTTP listener. Enabled by default in development mode. Typically
not enabled in production unless the server is fronted by a TLS termination
Expand Down
7 changes: 4 additions & 3 deletions ...dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelp.approved.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,9 +268,10 @@ HTTP(S):

--http-accept-non-normalized-paths <true|false>
DEPRECATED. If the server should accept paths that are not normalized
according to RFC3986 or that contain a double slash ('//'). While accepting
those requests might be relevant for legacy applications, it is recommended
to disable it to allow for more concise URL filtering. Default: false.
according to RFC3986 or that contain a double slash ('//') or semicolon
(';'). While accepting those requests might be relevant for legacy
applications, it is recommended to disable it to allow for more concise URL
filtering. Default: false.
--http-enabled <true|false>
Enables the HTTP listener. Enabled by default in development mode. Typically
not enabled in production unless the server is fronted by a TLS termination
Expand Down
7 changes: 4 additions & 3 deletions ...t/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelpAll.approved.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -291,9 +291,10 @@ HTTP(S):

--http-accept-non-normalized-paths <true|false>
DEPRECATED. If the server should accept paths that are not normalized
according to RFC3986 or that contain a double slash ('//'). While accepting
those requests might be relevant for legacy applications, it is recommended
to disable it to allow for more concise URL filtering. Default: false.
according to RFC3986 or that contain a double slash ('//') or semicolon
(';'). While accepting those requests might be relevant for legacy
applications, it is recommended to disable it to allow for more concise URL
filtering. Default: false.
--http-enabled <true|false>
Enables the HTTP listener. Enabled by default in development mode. Typically
not enabled in production unless the server is fronted by a TLS termination
Expand Down
7 changes: 4 additions & 3 deletions ...t/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelp.approved.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,9 +266,10 @@ HTTP(S):

--http-accept-non-normalized-paths <true|false>
DEPRECATED. If the server should accept paths that are not normalized
according to RFC3986 or that contain a double slash ('//'). While accepting
those requests might be relevant for legacy applications, it is recommended
to disable it to allow for more concise URL filtering. Default: false.
according to RFC3986 or that contain a double slash ('//') or semicolon
(';'). While accepting those requests might be relevant for legacy
applications, it is recommended to disable it to allow for more concise URL
filtering. Default: false.
--http-enabled <true|false>
Enables the HTTP listener. Enabled by default in development mode. Typically
not enabled in production unless the server is fronted by a TLS termination
Expand Down
7 changes: 4 additions & 3 deletions ...pprovals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelpAll.approved.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,9 +289,10 @@ HTTP(S):

--http-accept-non-normalized-paths <true|false>
DEPRECATED. If the server should accept paths that are not normalized
according to RFC3986 or that contain a double slash ('//'). While accepting
those requests might be relevant for legacy applications, it is recommended
to disable it to allow for more concise URL filtering. Default: false.
according to RFC3986 or that contain a double slash ('//') or semicolon
(';'). While accepting those requests might be relevant for legacy
applications, it is recommended to disable it to allow for more concise URL
filtering. Default: false.
--http-enabled <true|false>
Enables the HTTP listener. Enabled by default in development mode. Typically
not enabled in production unless the server is fronted by a TLS termination
Expand Down
Loading