Fixed jaliss#601: Security: password reset email host injection

Author: jaliss

ChangeLog

@@ -1,3 +1,5 @@
+master	-
+		- Fixed #601: Security: password reset email host injection
 3.0-M6  - 2017-02-17
 		- Upgraded to Play 2.5.12
 3.0-M5  - 2017-02-17

module-code/app/securesocial/core/RuntimeEnvironment.scala

@@ -56,7 +56,7 @@ object RuntimeEnvironment {
    * You can start your app with with by only adding a userService to handle users.
    */
   abstract class Default extends RuntimeEnvironment {
-    override lazy val routes: RoutesService = new RoutesService.Default()
+    override lazy val routes: RoutesService = new RoutesService.Default(configuration)
 
     override lazy val viewTemplates: ViewTemplates = new ViewTemplates.Default(this)(configuration)
     override lazy val mailTemplates: MailTemplates = new MailTemplates.Default(this)

module-code/app/securesocial/core/services/RoutesService.scala

@@ -16,6 +16,7 @@
  */
 package securesocial.core.services
 
+import play.api.Configuration
 import play.api.mvc.{ Call, RequestHeader }
 import securesocial.core.IdentityProvider
 
@@ -99,20 +100,25 @@ object RoutesService {
    * The default RoutesService implementation.  It points to the routes
    * defined by the built in controllers.
    */
-  class Default extends RoutesService {
+  class Default(configuration: Configuration) extends RoutesService {
     private val logger = play.api.Logger("securesocial.core.DefaultRoutesService")
-    lazy val conf = play.api.Play.current.configuration
-
     val FaviconKey = "securesocial.faviconPath"
     val JQueryKey = "securesocial.jqueryPath"
     val BootstrapCssKey = "securesocial.bootstrapCssPath"
     val CustomCssKey = "securesocial.customCssPath"
     val DefaultFaviconPath = "images/favicon.png"
     val DefaultJqueryPath = "javascripts/jquery-1.7.1.min.js"
     val DefaultBootstrapCssPath = "bootstrap/css/bootstrap.min.css"
+    val ApplicationHostKey = "securesocial.applicationHost"
+    val ApplicationPortKey = "securesocial.applicationPort"
+    private lazy val applicationHost = configuration.getString(ApplicationHostKey).getOrElse {
+      throw new RuntimeException(s"Missing property: $ApplicationHostKey")
+    }
+    private lazy val applicationPort = configuration.getInt(ApplicationPortKey).map(port => s":$port").getOrElse("")
+    private lazy val hostAndPort = s"$applicationHost$applicationPort"
 
     protected def absoluteUrl(call: Call)(implicit req: RequestHeader): String = {
-      call.absoluteURL(IdentityProvider.sslEnabled)
+      call.absoluteURL(IdentityProvider.sslEnabled, hostAndPort)
     }
 
     override def loginPageUrl(implicit req: RequestHeader): String = {
@@ -168,7 +174,7 @@ object RoutesService {
     }
 
     protected def valueFor(key: String, default: String) = {
-      val value = conf.getString(key).getOrElse(default)
+      val value = configuration.getString(key).getOrElse(default)
       logger.debug(s"[securesocial] $key = $value")
       securesocial.controllers.routes.Assets.at(value)
     }
@@ -195,7 +201,7 @@ object RoutesService {
      * @return Option containing a custom css file or None
      */
     override val customCssPath: Option[Call] = {
-      val path = conf.getString(CustomCssKey).map(securesocial.controllers.routes.Assets.at)
+      val path = configuration.getString(CustomCssKey).map(securesocial.controllers.routes.Assets.at)
       logger.debug("[securesocial] custom css path = %s".format(path))
       path
     }

samples/java/demo/conf/securesocial.conf

@@ -85,6 +85,12 @@ securesocial {
 	#
 	ssl=false
 
+	#
+	# The application host and optional port are used to compute the URLs users are pointed to.
+	# (see RoutesService.Default.absoluteUrl)
+	#
+	applicationHost=localhost
+	applicationPort=9000
 
 	#
 	# Parameters for the cookie used to track users.

samples/scala/demo/app/controllers/CustomLoginController.scala

@@ -4,7 +4,7 @@ import javax.inject.Inject
 
 import securesocial.controllers.BaseLoginPage
 import play.api.mvc.{ Action, AnyContent, RequestHeader }
-import play.api.Logger
+import play.api.{ Configuration, Logger }
 import play.filters.csrf.CSRFAddToken
 import securesocial.core.{ IdentityProvider, RuntimeEnvironment }
 import securesocial.core.services.RoutesService
@@ -16,6 +16,6 @@ class CustomLoginController @Inject() (val csrfAddToken: CSRFAddToken, implicit
   }
 }
 
-class CustomRoutesService extends RoutesService.Default {
-  override def loginPageUrl(implicit req: RequestHeader): String = controllers.routes.CustomLoginController.login().absoluteURL(IdentityProvider.sslEnabled)
+class CustomRoutesService(configuration: Configuration) extends RoutesService.Default(configuration) {
+  override def loginPageUrl(implicit req: RequestHeader): String = absoluteUrl(controllers.routes.CustomLoginController.login())
 }

samples/scala/demo/app/service/MyEnvironment.scala

@@ -28,7 +28,7 @@ import securesocial.core.RuntimeEnvironment
 class MyEnvironment @Inject() (override val configuration: Configuration, override val messagesApi: MessagesApi) extends RuntimeEnvironment.Default {
   override type U = DemoUser
   override implicit val executionContext = play.api.libs.concurrent.Execution.defaultContext
-  override lazy val routes = new CustomRoutesService()
+  override lazy val routes = new CustomRoutesService(configuration)
   override lazy val userService: InMemoryUserService = new InMemoryUserService()
   override lazy val eventListeners = List(new MyEventListener())
 }

samples/scala/demo/conf/securesocial.conf

@@ -85,6 +85,12 @@ securesocial {
 	#
 	ssl=false
 
+	#
+	# The application host and optional port are used to compute the URLs users are pointed to.
+	# (see RoutesService.Default.absoluteUrl)
+	#
+	applicationHost=localhost
+	applicationPort=9000
 
 	#
 	# Parameters for the cookie used to track users.