下面列出了怎么用org.apache.commons.httpclient.URIException的API类实例代码及写法,或者点击链接到github查看源代码。
/**
* Returns the proxy to be used when connecting to the given URI.
*/
private HttpHost getProxy(HttpUriRequest method) throws URIException {
Jenkins jenkins = Jenkins.getInstance();
ProxyConfiguration proxy = jenkins.proxy;
if (proxy == null) {
return null; // defensive check
}
Proxy p = proxy.createProxy(method.getURI().getHost());
switch (p.type()) {
case DIRECT:
return null; // no proxy
case HTTP:
InetSocketAddress sa = (InetSocketAddress) p.address();
return new HttpHost(sa.getHostName(), sa.getPort());
case SOCKS:
default:
return null; // not supported yet
}
}
protected JSONResult postSolrQuery(HttpClient httpClient, String url, JSONObject body, SolrJsonProcessor<?> jsonProcessor, String spellCheckParams)
throws UnsupportedEncodingException, IOException, HttpException, URIException,
JSONException
{
JSONObject json = postQuery(httpClient, url, body);
if (spellCheckParams != null)
{
SpellCheckDecisionManager manager = new SpellCheckDecisionManager(json, url, body, spellCheckParams);
if (manager.isCollate())
{
json = postQuery(httpClient, manager.getUrl(), body);
}
json.put("spellcheck", manager.getSpellCheckJsonValue());
}
JSONResult results = jsonProcessor.getResult(json);
if (s_logger.isDebugEnabled())
{
s_logger.debug("Sent :" + url);
s_logger.debug(" with: " + body.toString());
s_logger.debug("Got: " + results.getNumberFound() + " in " + results.getQueryTime() + " ms");
}
return results;
}
@Test
public void ignoreExposureToSelfRelativeLink()
throws HttpMalformedHeaderException, URIException {
// Given
String testURI = "https://example.com/foo?jsessionid=1A530637289A03B07199A44E8D531427";
String body =
"<html>\n<body>\n<h2>HTML Links</h2>\n"
+ "<p><a href=\"default.jsp\">\n"
+ " <img src=\"smiley.gif\" alt=\"HTML tutorial\" "
+ "style=\"width:42px;height:42px;border:0;\">\n</a>"
+ "</p>\n"
+ "</body>\n</html>";
HttpMessage msg = createHttpMessageWithRespBody(body);
msg.getRequestHeader().setURI(new URI(testURI, false));
// When
scanHttpResponseReceive(msg);
// Then:
// Passing means it detects the session ID in the URL (alert #1), but since the
// href in the body is self relative, it should not raise a 2nd alert.
assertEquals(1, alertsRaised.size());
}
private String fullUriString(String relativePath, boolean withTrailingSlash) {
String fullUri;
String baseUri = this.baseUri;
if (!baseUri.endsWith("/")) {
baseUri += "/";
}
if (withTrailingSlash && !relativePath.equals("")
&& !relativePath.endsWith("/")) {
relativePath += "/";
}
try {
fullUri = baseUri + URIUtil.encodePath(relativePath);
} catch (URIException e) {
throw new RuntimeException("problem encoding fullUri", e);
}
return fullUri;
}
@Test
public void shouldAlertOnSuspiciousCommentInHtmlComments()
throws HttpMalformedHeaderException, URIException {
// Given
String body =
"<h1>Some text <!--Some Html comment FixMe: DO something --></h1>\n"
+ "<b>No script here</b>\n";
HttpMessage msg = createHttpMessageWithRespBody(body, "text/html;charset=ISO-8859-1");
assertTrue(msg.getResponseHeader().isText());
assertFalse(msg.getResponseHeader().isJavaScript());
// When
scanHttpResponseReceive(msg);
// Then
assertEquals(1, alertsRaised.size());
}
@Test
public void ignoreExposureToBookmark() throws HttpMalformedHeaderException, URIException {
// Given
String testURI = "https://example.com/foo?jsessionid=1A530637289A03B07199A44E8D531427";
String body =
"<html>\n<body>\n<h2>HTML Links</h2>\n"
+ "<h2 id=\"C4\">Chapter 4</h2>"
+ "<p><a href=\"#C4\">Jump to Chapter 4</a></p>\n"
+ "</body>\n</html>";
HttpMessage msg = createHttpMessageWithRespBody(body);
msg.getRequestHeader().setURI(new URI(testURI, false));
// When
scanHttpResponseReceive(msg);
// Then:
// Passing means it detects the session ID in the URL (alert #1), but since the
// href in the body is also self relative, it should not raise a 2nd alert.
assertEquals(1, alertsRaised.size());
}
@Test
public void detectExposureTo3rdPartyUnquotedHREF()
throws HttpMalformedHeaderException, URIException {
// Given
String testURI = "https://example.com/foo?jsessionid=1A530637289A03B07199A44E8D531427";
String body =
"<html>\n<body>\n<h2>HTML Links</h2>\n"
+ "<p><a href=https://www.example.org/html/hello>Testing ZAP</a>"
+ "</p>\n"
+ "</body>\n</html>";
HttpMessage msg = createHttpMessageWithRespBody(body);
msg.getRequestHeader().setURI(new URI(testURI, false));
// When
scanHttpResponseReceive(msg);
// Then
assertEquals(2, alertsRaised.size());
}
HttpClientConnection(final BundleContext bc,
final String url,
final int mode,
final boolean timeouts)
throws URIException
{
this.bc = bc;
uri = new URI(url, false); // assume not escaped URIs
ProxySelector.configureProxy(bc, client, url);
final String timeoutString = bc.getProperty(TIMEOUT);
if (timeoutString != null) {
try {
client.getParams().setSoTimeout(Integer.parseInt(timeoutString));
} catch (NumberFormatException e) {
throw new RuntimeException("Invalid timeout " + timeoutString);
}
}
}
protected HttpMessage createHttpMessageWithRespBody(String testReferer)
throws HttpMalformedHeaderException, URIException {
HttpRequestHeader requestHeader = new HttpRequestHeader();
requestHeader.setURI(new URI(URI, false));
requestHeader.setHeader("Referer", testReferer);
HttpMessage msg = new HttpMessage();
msg.setRequestHeader(requestHeader);
msg.setResponseBody(BODY);
msg.setResponseHeader(
"HTTP/1.1 200 OK\r\n"
+ "Server: Apache-Coyote/1.1\r\n"
+ "Content-Type: text/plain\r\n"
+ "Content-Length: "
+ BODY.length()
+ "\r\n");
return msg;
}
/**
* Returns a representation of the host name as used throughout ZAP. The representation contains
* the scheme, the host and, if needed, the port. Method should be used to keep consistency
* whenever displaying a node's hostname.
*
* <p>Example outputs:
*
* <ul>
* <li><i>http://example.org</i>
* <li><i>http://example.org:8080</i>
* <li><i>https://example.org</i>
* </ul>
*
* @throws URIException
*/
public static String getHostName(URI uri) throws URIException {
StringBuilder host = new StringBuilder();
String scheme = uri.getScheme().toLowerCase();
host.append(scheme).append("://").append(uri.getHost());
int port = uri.getPort();
if ((port != -1)
&& ((port == 80 && !"http".equals(scheme))
|| (port == 443 && !"https".equals(scheme))
|| (port != 80 && port != 443))) {
host.append(":").append(port);
}
return host.toString();
}
@Test
public void shouldRaiseAlertStoreAndCacheableWhenStaleRetrieveAllowed()
throws URIException, HttpMalformedHeaderException {
// Given
HttpMessage msg = createMessage();
msg.setResponseHeader(
"HTTP/1.1 200 OK\r\n"
+ "Cache-Control: public\r\n"
+ "Expires: Wed, 02 Oct 2019 06:00:00 GMT\r\n"
+ "Date: Wed, 02 Oct 2019 07:00:00 GMT");
// When
scanHttpResponseReceive(msg);
// Then
assertStoreAndCacheable("");
}
private static URI createAttackUri(URI originalURI, String attackParam) {
StringBuilder strBuilder = new StringBuilder();
strBuilder
.append(originalURI.getScheme())
.append("://")
.append(originalURI.getEscapedAuthority());
strBuilder
.append(originalURI.getRawPath() != null ? originalURI.getEscapedPath() : "/")
.append(attackParam);
String uri = strBuilder.toString();
try {
return new URI(uri, true);
} catch (URIException e) {
log.warn("Failed to create attack URI [" + uri + "], cause: " + e.getMessage());
}
return null;
}
private String getStatsBaseKey() {
if (statsBaseKey == null) {
// Make our best attempt at getting the same host name that other stats will use
HistoryReference hsr = getHandshakeReference();
if (hsr != null) {
try {
statsBaseKey = SessionStructure.getHostName(hsr.getURI());
} catch (URIException e) {
// Unlikely, but just in case
statsBaseKey = "http://" + host;
}
} else {
statsBaseKey = "http://" + host;
}
}
return statsBaseKey;
}
@Test
public void shouldGetHostNode()
throws URIException, DatabaseException, HttpMalformedHeaderException {
// Given
URI hostUri1 = new URI("https", null, defaultHostName.toString(), -1, "/first");
WebSocketChannelDTO channel =
getWebSocketChannelDTO(1, defaultHostName.toString(), hostUri1.toString());
TreeNode hostNode = new WebSocketNode(root, new HostFolderContent(namer, channel));
TreeNode messageNode =
new WebSocketNode(
hostNode,
new MessageContent(namer, getTextOutgoingMessage(channel, "Test", 1)));
// When
List<TreeNode> actualHostList = messageNode.getHostNodes(new ArrayList<>());
// Then
assertEquals(1, actualHostList.size());
assertEquals(hostNode, actualHostList.get(0));
}
public ScanTarget(URI uri) {
this.uri = copyURI(uri);
this.scheme = uri.getScheme();
try {
this.host = uri.getHost();
} catch (URIException e) {
throw new IllegalArgumentException("Failed to get host from URI: " + e.getMessage(), e);
}
this.port = getPort(scheme, uri.getPort());
try {
this.uri.setPath(null);
this.uri.setQuery(null);
this.uri.setFragment(null);
} catch (URIException ignore) {
// It's safe to set the URI query, path and fragment components to null.
}
this.stringRepresentation = createHostPortString(host, port);
buildHtmlStringRepresentation();
}
/**
* Test for doubly-encoded sequences.
* See <a href="https://sourceforge.net/tracker/index.php?func=detail&aid=966219&group_id=73833&atid=539099">[ 966219 ] UURI doubly-encodes %XX sequences</a>.
* @throws URIException
*/
public final void testDoubleEncoding() throws URIException {
final char ae = '\u00E6';
final String uri = "http://archive.org/DIR WITH SPACES/home" +
ae + ".html";
final String encodedUri =
"http://archive.org/DIR%20WITH%20SPACES/home%E6.html";
UsableURI uuri = UsableURIFactory.getInstance(uri, "ISO-8859-1");
assertEquals("single encoding", encodedUri, uuri.toString());
// Dbl-encodes.
uuri = UsableURIFactory.getInstance(uuri.toString(), "ISO-8859-1");
uuri = UsableURIFactory.getInstance(uuri.toString(), "ISO-8859-1");
assertEquals("double encoding", encodedUri, uuri.toString());
// Do default utf-8 test.
uuri = UsableURIFactory.getInstance(uri);
final String encodedUtf8Uri =
"http://archive.org/DIR%20WITH%20SPACES/home%C3%A6.html";
assertEquals("Not equal utf8", encodedUtf8Uri, uuri.toString());
// Now dbl-encode.
uuri = UsableURIFactory.getInstance(uuri.toString());
uuri = UsableURIFactory.getInstance(uuri.toString());
assertEquals("Not equal (dbl-encoding) utf8", encodedUtf8Uri, uuri.toString());
}
@Test
@Disabled(value = "Scanner does not look for session IDs in the response embedded in HREFs")
public void containsSessionIdInResponseHREFParams()
throws HttpMalformedHeaderException, URIException {
// Given
String testURI = "http://tld.gtld/fred?foo=bar";
String body =
"<html>\n<body>\n<h2>HTML Links</h2>\n"
+ "<p><a href=\"https://www.example.org/html/?jsessionid=1A530637289A03B07199A44E8D531427\">Testing ZAP</a>"
+ "</p>\n"
+ "</body>\n</html>";
HttpMessage msg = createHttpMessageWithRespBody(body);
msg.getRequestHeader().setURI(new URI(testURI, false));
// When
scanHttpResponseReceive(msg);
// Then
assertEquals(1, alertsRaised.size());
}
@Test
public void shouldRaiseAlertWhenSsnInReferer()
throws HttpMalformedHeaderException, URIException {
// Given
String sensitiveParamName = "docid";
String sensitiveValue = "000-00-0000";
String testReferer =
"http://example.org/?" + sensitiveParamName + "=" + sensitiveValue + "&hl=en";
HttpMessage msg = createHttpMessageWithRespBody(testReferer);
// When
scanHttpRequestSend(msg);
// Then
assertEquals(1, alertsRaised.size());
assertEquals(sensitiveValue, alertsRaised.get(0).getEvidence());
assertEquals(
Constant.messages.getString(
InformationDisclosureReferrerScanRule.MESSAGE_PREFIX + "otherinfo.ssn"),
alertsRaised.get(0).getOtherInfo());
}
@BeforeEach
public void before() throws URIException {
antiCsrfTokenNames = new ArrayList<>();
antiCsrfTokenNames.add("token");
antiCsrfTokenNames.add("csrfToken");
extensionAntiCSRFMock = mock(ExtensionAntiCSRF.class);
Mockito.lenient()
.when(extensionAntiCSRFMock.getAntiCsrfTokenNames())
.thenReturn(antiCsrfTokenNames);
rule.setExtensionAntiCSRF(extensionAntiCSRFMock);
rule.setCsrfIgnoreList("");
rule.setCSRFIgnoreAttName("");
rule.setCSRFIgnoreAttValue("");
HttpRequestHeader requestHeader = new HttpRequestHeader();
requestHeader.setURI(new URI("http://example.com", false));
msg = new HttpMessage();
msg.setRequestHeader(requestHeader);
}
@Test
public void shouldRaiseAlertIfXCacheWasHitWithMultipleServerDetails() throws URIException {
// Given
String xCacheValue = "HIT from proxy.domain.tld, MISS from proxy.local";
HttpMessage msg = createMessage();
msg.getResponseHeader().addHeader(X_CACHE, xCacheValue);
// When
scanHttpResponseReceive(msg);
// Then
assertThat(alertsRaised.size(), equalTo(1));
assertThat(alertsRaised.get(0).getEvidence(), equalTo("HIT from proxy.domain.tld"));
}
@Test
public void shouldProcessAtMediumThresholdAndInScope()
throws HttpMalformedHeaderException, URIException {
// Given
HttpMessage msg = createMessage(true);
rule.setConfig(new ZapXmlConfiguration());
rule.setAlertThreshold(AlertThreshold.MEDIUM);
// Note: This Test leverages the context setup in a previous test
rule.init(msg, parent);
// When
this.rule.scan();
// Then
assertThat(httpMessagesSent, hasSize(greaterThan(0)));
}
@Test
public void shouldNotRaiseAlertIfResponseFormIsSecure() throws URIException {
// Given
HttpMessage msg = createMessage();
msg.setResponseBody(
"<html><form name=\"someform\" action=\"https://example.com/processform\"></form</html>");
// When
scanHttpResponseReceive(msg);
// Then
assertThat(alertsRaised.size(), equalTo(0));
}
private HttpMessage createMessage() throws URIException {
HttpRequestHeader requestHeader = new HttpRequestHeader();
requestHeader.setURI(new URI("http://example.com", false));
HttpMessage msg = new HttpMessage();
msg.setRequestHeader(requestHeader);
msg.getResponseHeader().setStatusCode(HttpStatusCode.OK);
msg.getResponseHeader().setHeader(HttpResponseHeader.CONTENT_TYPE, "text/html");
return msg;
}
public synchronized String getHost() throws URIException {
if (this.cachedHost == null) {
// If this._host is null, 3.0 httpclient throws
// illegalargumentexception. Don't go there.
if (this._host != null) {
this.cachedHost = super.getHost();
coalesceHostAuthorityStrings();
}
}
return this.cachedHost;
}
protected JSONObject postQuery(HttpClient httpClient, String url, JSONObject body) throws UnsupportedEncodingException,
IOException, HttpException, URIException, JSONException
{
PostMethod post = new PostMethod(url);
if (body.toString().length() > DEFAULT_SAVEPOST_BUFFER)
{
post.getParams().setBooleanParameter(HttpMethodParams.USE_EXPECT_CONTINUE, true);
}
StringRequestEntity requestEntity = new StringRequestEntity(body.toString(), "application/json", "UTF-8");
post.setRequestEntity(requestEntity);
try
{
httpClient.executeMethod(post);
if(post.getStatusCode() == HttpStatus.SC_MOVED_PERMANENTLY || post.getStatusCode() == HttpStatus.SC_MOVED_TEMPORARILY)
{
Header locationHeader = post.getResponseHeader("location");
if (locationHeader != null)
{
String redirectLocation = locationHeader.getValue();
post.setURI(new URI(redirectLocation, true));
httpClient.executeMethod(post);
}
}
if (post.getStatusCode() != HttpServletResponse.SC_OK)
{
throw new LuceneQueryParserException("Request failed " + post.getStatusCode() + " " + url.toString());
}
Reader reader = new BufferedReader(new InputStreamReader(post.getResponseBodyAsStream(), post.getResponseCharSet()));
// TODO - replace with streaming-based solution e.g. SimpleJSON ContentHandler
JSONObject json = new JSONObject(new JSONTokener(reader));
return json;
}
finally
{
post.releaseConnection();
}
}
@SuppressWarnings("unused")
public synchronized void setHost(URI uri)
{
try {
setHost(uri.getHost(), uri.getPort(), uri.getScheme());
} catch(URIException e) {
throw new IllegalArgumentException(e.toString());
}
}
/**
* Utility function used to convert a given URI to a decoded string
* representation sent to the backing store. URIs coming as input
* to this class will be encoded by the URI class, and we want
* the underlying storage to store keys in their original UTF-8 form.
*/
private static String convertUriToDecodedString(URI uri) {
try {
String result = URIUtil.decode(uri.toString());
return result;
} catch (URIException e) {
throw new AssertionError("Failed to decode URI: " + uri.toString());
}
}
@Test
public void shouldNotRaiseAlertIfResponseIsNotHtml() throws URIException {
// Given
HttpMessage msg = createMessage();
msg.getResponseHeader().setHeader(HttpHeader.CONTENT_TYPE, "application/json");
// When
scanHttpResponseReceive(msg);
// Then
assertThat(alertsRaised.size(), equalTo(0));
}
/**
* Ensure that relative URIs with colons in late positions
* aren't mistakenly interpreted as absolute URIs with long,
* illegal schemes.
*
* @throws URIException
*/
public void testLateColon() throws URIException {
UsableURI base = UsableURIFactory.getInstance("http://www.example.com/path/page");
UsableURI uuri1 = UsableURIFactory.getInstance(base,"example.html;jsessionid=deadbeef:deadbeed?parameter=this:value");
assertEquals("derelativize lateColon",
uuri1.getURI(),
"http://www.example.com/path/example.html;jsessionid=deadbeef:deadbeed?parameter=this:value");
UsableURI uuri2 = UsableURIFactory.getInstance(base,"example.html?parameter=this:value");
assertEquals("derelativize lateColon",
uuri2.getURI(),
"http://www.example.com/path/example.html?parameter=this:value");
}
public HttpMessage createMessage() {
HttpMessage msg = new HttpMessage();
HttpRequestHeader requestHeader = new HttpRequestHeader();
try {
requestHeader.setURI(new URI("http://example.com/i.php", false));
} catch (URIException | NullPointerException e) {
}
requestHeader.setMethod(HttpRequestHeader.GET);
msg = new HttpMessage();
msg.setRequestHeader(requestHeader);
msg.getResponseHeader().setStatusCode(HttpStatusCode.OK);
msg.getResponseHeader().addHeader(HttpHeader.CONTENT_TYPE, "text/html");
return msg;
}