[KEYCLOAK-14352] JavaScript injection vulnerability of Realm registration REST API

2020-06-16 10:57:00 -07:00 · 2020-06-16 10:57:00 -07:00 · 43e075afa5
commit 43e075afa5
parent ab347df5ee
2 changed files with 51 additions and 1 deletions
--- a/services/src/main/java/org/keycloak/services/managers/RealmManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/RealmManager.java
@ -96,7 +96,12 @@ public class RealmManager {
    }

    public RealmModel createRealm(String id, String name) {
-        if (id == null) id = KeycloakModelUtils.generateId();
+        if (id == null) {
+            id = KeycloakModelUtils.generateId();
+        }
+        else {
+            ReservedCharValidator.validate(id);
+        }
        ReservedCharValidator.validate(name);
        RealmModel realm = model.createRealm(id, name);
        realm.setName(name);
@ -502,6 +507,9 @@ public class RealmManager {
        if (id == null) {
            id = KeycloakModelUtils.generateId();
        }
+        else {
+            ReservedCharValidator.validate(id);
+        }
        RealmModel realm = model.createRealm(id, rep.getRealm());
        ReservedCharValidator.validate(rep.getRealm());
        realm.setName(rep.getRealm());
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/model/BadRealmTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/model/BadRealmTest.java
@ -0,0 +1,42 @@
+package org.keycloak.testsuite.model;
+
+import org.junit.Test;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.representations.idm.RealmRepresentation;
+import org.keycloak.services.managers.RealmManager;
+import org.keycloak.testsuite.AbstractKeycloakTest;
+import org.keycloak.testsuite.arquillian.annotation.ModelTest;
+import org.keycloak.utils.ReservedCharValidator;
+
+import java.util.List;
+
+import static org.junit.Assert.fail;
+
+public class BadRealmTest extends AbstractKeycloakTest {
+    private String name = "MyRealm";
+    private String id = "MyId";
+    private String script = "<script>alert(4)</script>";
+
+    public void addTestRealms(List<RealmRepresentation> testRealms) {
+    }
+
+    @Test
+    @ModelTest
+    public void testBadRealmName(KeycloakSession session) {
+        RealmManager manager = new RealmManager(session);
+        try {
+            manager.createRealm(id, name + script);
+            fail();
+        } catch (ReservedCharValidator.ReservedCharException ex) {}
+    }
+
+    @Test
+    @ModelTest
+    public void testBadRealmId(KeycloakSession session) {
+        RealmManager manager = new RealmManager(session);
+        try {
+            manager.createRealm(id + script, name);
+            fail();
+        } catch (ReservedCharValidator.ReservedCharException ex) {}
+    }
+}