CVE-2022-22971 - Ignore invalid connect frame

Closes spring-projectsgh-28443 (cherry picked from commit dc2947c)
Datameer-Inc · Nov 1, 2022 · 8674070 · 8674070
1 parent f187239
commit 8674070
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 3 deletions.
diff --git a/build.gradle b/build.gradle
@@ -145,6 +145,7 @@ configure(allprojects) { project ->
 			exclude group:'org.hamcrest', module:'hamcrest-core'
 		}
 		testCompile("org.hamcrest:hamcrest-all:${hamcrestVersion}")
+		testCompile "org.assertj:assertj-core:3.18.1"
 
 		sniffer("org.codehaus.mojo:animal-sniffer-ant-tasks:${snifferVersion}")
 		javaApiSignature("org.codehaus.mojo.signature:java16:1.1@signature")  // API level from JDK 6 update 18

diff --git a/...g/src/main/java/org/springframework/messaging/simp/broker/SimpleBrokerMessageHandler.java b/...g/src/main/java/org/springframework/messaging/simp/broker/SimpleBrokerMessageHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -296,6 +296,14 @@ protected void handleMessageInternal(Message<?> message) {
 		}
 		else if (SimpMessageType.CONNECT.equals(messageType)) {
 			logMessage(message);
+			if (sessionId != null) {
+				if (this.sessions.get(sessionId) != null) {
+					if (logger.isWarnEnabled()) {
+						logger.warn("Ignoring CONNECT in session " + sessionId + ". Already connected.");
+					}
+					return;
+				}
+			}
 			long[] clientHeartbeat = SimpMessageHeaderAccessor.getHeartbeat(headers);
 			long[] serverHeartbeat = getHeartbeatValue();
 			Principal user = SimpMessageHeaderAccessor.getUser(headers);

diff --git a/...rc/main/java/org/springframework/messaging/simp/stomp/StompBrokerRelayMessageHandler.java b/...rc/main/java/org/springframework/messaging/simp/stomp/StompBrokerRelayMessageHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -494,6 +494,12 @@ else if (accessor instanceof SimpMessageHeaderAccessor) {
 		}
 
 		if (StompCommand.CONNECT.equals(command)) {
+			if (this.connectionHandlers.get(sessionId) != null) {
+				if (logger.isWarnEnabled()) {
+					logger.warn("Ignoring CONNECT in session " + sessionId + ". Already connected.");
+				}
+				return;
+			}
 			if (logger.isDebugEnabled()) {
 				logger.debug(stompAccessor.getShortLogMessage(EMPTY_PAYLOAD));
 			}

diff --git a/...st/java/org/springframework/messaging/simp/stomp/StompBrokerRelayMessageHandlerTests.java b/...st/java/org/springframework/messaging/simp/stomp/StompBrokerRelayMessageHandlerTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -44,6 +44,8 @@
 import org.springframework.util.concurrent.ListenableFuture;
 import org.springframework.util.concurrent.ListenableFutureTask;
 
+import static org.assertj.core.api.Assertions.assertThat;
+
 /**
  * Unit tests for StompBrokerRelayMessageHandler.
  *
@@ -220,6 +222,30 @@ public void systemSubscription() throws Exception {
 		assertSame(message, captor.getValue());
 	}
 
+	@Test
+	public void alreadyConnected() {
+
+		this.brokerRelay.start();
+
+		Message<byte[]> connect = connectMessage("sess1", "joe");
+		this.brokerRelay.handleMessage(connect);
+
+		assertThat(this.tcpClient.getSentMessages().size()).isEqualTo(2);
+
+		StompHeaderAccessor headers1 = this.tcpClient.getSentHeaders(0);
+		assertThat(headers1.getCommand()).isEqualTo(StompCommand.CONNECT);
+		assertThat(headers1.getSessionId()).isEqualTo(StompBrokerRelayMessageHandler.SYSTEM_SESSION_ID);
+
+		StompHeaderAccessor headers2 = this.tcpClient.getSentHeaders(1);
+		assertThat(headers2.getCommand()).isEqualTo(StompCommand.CONNECT);
+		assertThat(headers2.getSessionId()).isEqualTo("sess1");
+
+		this.brokerRelay.handleMessage(connect);
+
+		assertThat(this.tcpClient.getSentMessages().size()).isEqualTo(2);
+		assertThat(this.outboundChannel.getMessages()).isEmpty();
+	}
+
 	private Message<byte[]> connectMessage(String sessionId, String user) {
 		StompHeaderAccessor headers = StompHeaderAccessor.create(StompCommand.CONNECT);
 		headers.setSessionId(sessionId);