Merge pull request #67 from xiaoxiamo/ssrf

修复SSRF漏洞

austin-common/src/main/java/com/java3y/austin/common/constant/CommonConstant.java

@@ -44,6 +44,12 @@ public class CommonConstant {
     public static final String CONTENT_TYPE_XML = "application/xml; charset=UTF-8";
     public static final String CONTENT_TYPE_FORM_URL_ENCODE = "application/x-www-form-urlencoded;charset=utf-8;";
     public static final String CONTENT_TYPE_MULTIPART_FORM_DATA = "multipart/form-data";
+    /**
+     * 协议
+     */
+    public static final String HTTP = "http";
+    public static final String HTTPS = "https";
+    public static final String OSS = "oss";
     /**
      * HTTP 请求方法
      */

austin-support/src/main/java/com/java3y/austin/support/utils/AustinFileUtils.java

@@ -2,6 +2,7 @@ package com.java3y.austin.support.utils;
 
 import cn.hutool.core.io.IoUtil;
 import com.google.common.base.Throwables;
+import com.java3y.austin.common.constant.CommonConstant;
 import lombok.extern.slf4j.Slf4j;
 
 import java.io.File;
@@ -38,6 +39,15 @@ public class AustinFileUtils {
         FileOutputStream fileOutputStream = null;
         try {
             URL url = new URL(remoteUrl);
+            String protocol = url.getProtocol();
+            // 防止SSRF攻击
+            if (!CommonConstant.HTTP.equalsIgnoreCase(protocol)
+                    && !CommonConstant.HTTPS.equalsIgnoreCase(protocol)
+                    && !CommonConstant.OSS.equalsIgnoreCase(protocol)) {
+                log.error("AustinFileUtils#getRemoteUrl2File fail:{}, remoteUrl:{}",
+                        "The remoteUrl is invalid, it can only be of the types http, https, and oss.", remoteUrl);
+                return null;
+            }
             File file = new File(path, url.getPath());
             inputStream = url.openStream();
             if (!file.exists()) {