fix: 修复#56 Issues, 指定协议白名单,禁止使用file://、ftp://等协议,防止SSRF攻击

pull/67/head
xiaoxiamo 5 months ago
parent 780d769575
commit 8e26d7ab14

@ -44,6 +44,12 @@ public class CommonConstant {
public static final String CONTENT_TYPE_XML = "application/xml; charset=UTF-8"; public static final String CONTENT_TYPE_XML = "application/xml; charset=UTF-8";
public static final String CONTENT_TYPE_FORM_URL_ENCODE = "application/x-www-form-urlencoded;charset=utf-8;"; public static final String CONTENT_TYPE_FORM_URL_ENCODE = "application/x-www-form-urlencoded;charset=utf-8;";
public static final String CONTENT_TYPE_MULTIPART_FORM_DATA = "multipart/form-data"; public static final String CONTENT_TYPE_MULTIPART_FORM_DATA = "multipart/form-data";
/**
*
*/
public static final String HTTP = "http";
public static final String HTTPS = "https";
public static final String OSS = "oss";
/** /**
* HTTP * HTTP
*/ */

@ -2,6 +2,7 @@ package com.java3y.austin.support.utils;
import cn.hutool.core.io.IoUtil; import cn.hutool.core.io.IoUtil;
import com.google.common.base.Throwables; import com.google.common.base.Throwables;
import com.java3y.austin.common.constant.CommonConstant;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import java.io.File; import java.io.File;
@ -38,6 +39,15 @@ public class AustinFileUtils {
FileOutputStream fileOutputStream = null; FileOutputStream fileOutputStream = null;
try { try {
URL url = new URL(remoteUrl); URL url = new URL(remoteUrl);
String protocol = url.getProtocol();
// 防止SSRF攻击
if (!CommonConstant.HTTP.equalsIgnoreCase(protocol)
&& !CommonConstant.HTTPS.equalsIgnoreCase(protocol)
&& !CommonConstant.OSS.equalsIgnoreCase(protocol)) {
log.error("AustinFileUtils#getRemoteUrl2File fail:{}, remoteUrl:{}",
"The remoteUrl is invalid, it can only be of the types http, https, and oss.", remoteUrl);
return null;
}
File file = new File(path, url.getPath()); File file = new File(path, url.getPath());
inputStream = url.openStream(); inputStream = url.openStream();
if (!file.exists()) { if (!file.exists()) {

Loading…
Cancel
Save