From 8e26d7ab145ba86730a38887269a72c74641e5de Mon Sep 17 00:00:00 2001
From: xiaoxiamo <82970607@qq.com>
Date: Tue, 16 Jul 2024 00:00:11 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D#56=20Issues,=20?=
 =?UTF-8?q?=E6=8C=87=E5=AE=9A=E5=8D=8F=E8=AE=AE=E7=99=BD=E5=90=8D=E5=8D=95?=
 =?UTF-8?q?=EF=BC=8C=E7=A6=81=E6=AD=A2=E4=BD=BF=E7=94=A8file://=E3=80=81ft?=
 =?UTF-8?q?p://=E7=AD=89=E5=8D=8F=E8=AE=AE=EF=BC=8C=E9=98=B2=E6=AD=A2SSRF?=
 =?UTF-8?q?=E6=94=BB=E5=87=BB?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../java3y/austin/common/constant/CommonConstant.java  |  6 ++++++
 .../java3y/austin/support/utils/AustinFileUtils.java   | 10 ++++++++++
 2 files changed, 16 insertions(+)

diff --git a/austin-common/src/main/java/com/java3y/austin/common/constant/CommonConstant.java b/austin-common/src/main/java/com/java3y/austin/common/constant/CommonConstant.java
index 4f8aac9..5706711 100644
--- a/austin-common/src/main/java/com/java3y/austin/common/constant/CommonConstant.java
+++ b/austin-common/src/main/java/com/java3y/austin/common/constant/CommonConstant.java
@@ -44,6 +44,12 @@ public class CommonConstant {
     public static final String CONTENT_TYPE_XML = "application/xml; charset=UTF-8";
     public static final String CONTENT_TYPE_FORM_URL_ENCODE = "application/x-www-form-urlencoded;charset=utf-8;";
     public static final String CONTENT_TYPE_MULTIPART_FORM_DATA = "multipart/form-data";
+    /**
+     * 协议
+     */
+    public static final String HTTP = "http";
+    public static final String HTTPS = "https";
+    public static final String OSS = "oss";
     /**
      * HTTP 请求方法
      */
diff --git a/austin-support/src/main/java/com/java3y/austin/support/utils/AustinFileUtils.java b/austin-support/src/main/java/com/java3y/austin/support/utils/AustinFileUtils.java
index a366a62..7439ef4 100644
--- a/austin-support/src/main/java/com/java3y/austin/support/utils/AustinFileUtils.java
+++ b/austin-support/src/main/java/com/java3y/austin/support/utils/AustinFileUtils.java
@@ -2,6 +2,7 @@ package com.java3y.austin.support.utils;
 
 import cn.hutool.core.io.IoUtil;
 import com.google.common.base.Throwables;
+import com.java3y.austin.common.constant.CommonConstant;
 import lombok.extern.slf4j.Slf4j;
 
 import java.io.File;
@@ -38,6 +39,15 @@ public class AustinFileUtils {
         FileOutputStream fileOutputStream = null;
         try {
             URL url = new URL(remoteUrl);
+            String protocol = url.getProtocol();
+            // 防止SSRF攻击
+            if (!CommonConstant.HTTP.equalsIgnoreCase(protocol)
+                    && !CommonConstant.HTTPS.equalsIgnoreCase(protocol)
+                    && !CommonConstant.OSS.equalsIgnoreCase(protocol)) {
+                log.error("AustinFileUtils#getRemoteUrl2File fail:{}, remoteUrl:{}",
+                        "The remoteUrl is invalid, it can only be of the types http, https, and oss.", remoteUrl);
+                return null;
+            }
             File file = new File(path, url.getPath());
             inputStream = url.openStream();
             if (!file.exists()) {