OF-2893: Warn administrator when a wildcard pattern is loaded (but wildcards are disabled)

Fishbowler · Fishbowler · commit dca6af302f64 · 2024-10-20T15:56:11.000+01:00
diff --git a/i18n/src/main/resources/openfire_i18n.properties b/i18n/src/main/resources/openfire_i18n.properties
@@ -2832,6 +2832,7 @@ plugin.admin.failed.minJavaVersion=The plugin requires Java specification versio
 plugin.admin.failed.missingParent=The plugin requires another plugin, named {0}, that currently is not installed.
 plugin.admin.failed.databaseScript=A plugin database install or update script failed. Review the logs for additional details.
 plugin.admin.failed.unknown=An exception occurred while loading plugin. Review the logs for additional details.
+plugin.admin.wildcards-exists=A plugin has loaded admin console authentication bypass patterns that includes a wildcard, but the System Property 'adminConsole.access.allow-wildcards-in-excludes' is disabled.
 
 # System Admin Console access
 system.admin.console.access.title=Admin Console Access
diff --git a/xmppserver/src/main/java/org/jivesoftware/admin/AuthCheckFilter.java b/xmppserver/src/main/java/org/jivesoftware/admin/AuthCheckFilter.java
@@ -174,6 +174,13 @@ public static void removeExclude(String exclude) {
         excludes.remove(exclude);
     }
 
+    /**
+     * Indicates to the caller whether any of the currently loaded exclusions contains a wildcard
+     */
+    public static boolean excludesIncludeWildcards() {
+        return excludes.stream().anyMatch(e -> e.contains("*"));
+    }
+
     /**
      * Returns true if a URL passes an exclude rule.
      *
diff --git a/xmppserver/src/main/webapp/plugin-admin.jsp b/xmppserver/src/main/webapp/plugin-admin.jsp
@@ -23,6 +23,7 @@
                  org.apache.commons.fileupload.disk.DiskFileItemFactory,
                  org.apache.commons.fileupload.servlet.ServletFileUpload"
         %>
+<%@ page import="org.jivesoftware.admin.AuthCheckFilter" %>
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.openfire.container.PluginManager" %>
 <%@ page import="org.jivesoftware.openfire.update.UpdateManager" %>
@@ -369,6 +370,11 @@ tr.lowerhalf > td:last-child {
             <fmt:message key="plugin.admin.monitortask_running" />
         </admin:infobox>
     </c:if>
+    <c:if test="${ AuthCheckFilter.excludesIncludeWildcards() && !AuthCheckFilter.ALLOW_WILDCARDS_IN_EXCLUDES.getValue() }">
+        <admin:infobox type="warning">
+            <fmt:message key="plugin.admin.wildcards-exists" />
+        </admin:infobox>
+    </c:if>
     <p>
     <fmt:message key="plugin.admin.info"/>
 </p>

Original file line number	Diff line number	Diff line change
`@@ -174,6 +174,13 @@ public static void removeExclude(String exclude) {`
`174`	`174`	`excludes.remove(exclude);`
`175`	`175`	`}`
`176`	`176`
	`177`	`+ /**`
	`178`	`+ * Indicates to the caller whether any of the currently loaded exclusions contains a wildcard`
	`179`	`+ */`
	`180`	`+ public static boolean excludesIncludeWildcards() {`
	`181`	`+ return excludes.stream().anyMatch(e -> e.contains("*"));`
	`182`	`+ }`
	`183`	`+`
`177`	`184`	`/**`
`178`	`185`	`* Returns true if a URL passes an exclude rule.`
`179`	`186`	`*`