bug fix

JoyChou93 · JoyChou93 · commit ab69c0b60c67 · 2020-08-03T17:17:33.000+08:00
diff --git a/README.md b/README.md
@@ -40,6 +40,7 @@ Sort by letter.
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
+- [Swagger](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/SwaggerConfig.java)
 - [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)
 - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)
diff --git a/pom.xml b/pom.xml
@@ -7,7 +7,7 @@
     <groupId>sec</groupId>
     <artifactId>java-sec-code</artifactId>
     <version>1.0.0</version>
-    <packaging>war</packaging>
+    <packaging>jar</packaging>
 
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source> <!-- mvn clean package-->
diff --git a/src/main/java/org/joychou/config/SafeDomainParser.java b/src/main/java/org/joychou/config/SafeDomainParser.java
@@ -29,11 +29,9 @@ public SafeDomainParser() {
         try {
             // 读取resources目录下的文件
             ClassPathResource resource = new ClassPathResource(safeDomainClassPath);
-            File file = resource.getFile();
-
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder db = dbf.newDocumentBuilder();
-            Document doc = db.parse(file);  // parse xml
+            Document doc = db.parse(resource.getInputStream());  // parse xml
 
             NodeList rootNode = doc.getElementsByTagName(rootTag);  // 解析根节点domains
             Node domainsNode = rootNode.item(0);
@@ -68,6 +66,7 @@ public SafeDomainParser() {
 
         WebConfig wc = new WebConfig();
         wc.setSafeDomains(safeDomains);
+        logger.info(safeDomains.toString());
         wc.setBlockDomains(blockDomains);
 
         // 解析SSRF配置
@@ -86,11 +85,10 @@ public SafeDomainParser() {
         try {
             // 读取resources目录下的文件
             ClassPathResource resource = new ClassPathResource(ssrfSafeDomainClassPath);
-            File file = resource.getFile();
-
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder db = dbf.newDocumentBuilder();
-            Document doc = db.parse(file);  // parse xml
+            // 修复打包成jar包运行，不能读取文件的bug
+            Document doc = db.parse(resource.getInputStream());  // parse xml
 
             NodeList rootNode = doc.getElementsByTagName(ssrfRootTag);  // 解析根节点
             Node domainsNode = rootNode.item(0);
@@ -130,6 +128,7 @@ public SafeDomainParser() {
             logger.error(e.toString());
         }
 
+        logger.info(ssrfBlockIps.toString());
         wc.setSsrfBlockDomains(ssrfBlockDomains);
         wc.setSsrfBlockIps(ssrfBlockIps);
         wc.setSsrfSafeDomains(ssrfSafeDomains);
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
@@ -150,23 +150,18 @@ public String ImageIO(@RequestParam String url) {
     }
 
 
-    /**
-     * The default setting of followRedirects is true.
-     * UserAgent is <code>okhttp/2.5.0</code>.
-     */
     @GetMapping("/okhttp/sec")
     public String okhttp(@RequestParam String url) {
 
         try {
             SecurityUtil.startSSRFHook();
-            HttpUtils.okhttp(url);
+            return HttpUtils.okhttp(url);
         } catch (SSRFException | IOException e) {
             return e.getMessage();
         } finally {
             SecurityUtil.stopSSRFHook();
         }
 
-        return "okhttp ssrf test";
     }
 
 
diff --git a/src/main/java/org/joychou/controller/URLWhiteList.java b/src/main/java/org/joychou/controller/URLWhiteList.java
@@ -6,6 +6,8 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.*;
 
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -92,15 +94,16 @@ public String regex(@RequestParam("url") String url) {
      * More details: https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass
      */
     @GetMapping("/vuln/url_bypass")
-    public String url_bypass(String url) {
+    public String url_bypass(String url) throws MalformedURLException {
 
         logger.info("url:  " + url);
 
         if (!SecurityUtil.isHttp(url)) {
             return "Url is not http or https";
         }
 
-        String host = SecurityUtil.gethost(url);
+        URL u = new URL(url);
+        String host = u.getHost();
         logger.info("host:  " + host);
 
         // endsWith .
diff --git a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java
@@ -7,23 +7,22 @@
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.web.access.AccessDeniedHandler;
 
-
-import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
 /**
- * Design csrf access denied page.
+ * Csrf access denied page.
  *
+ * @author JoyChou
  */
 public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
 
     protected final Logger logger= LoggerFactory.getLogger(this.getClass());
 
     @Override
     public void handle(HttpServletRequest request, HttpServletResponse response,
-                       AccessDeniedException accessDeniedException) throws IOException, ServletException {
+                       AccessDeniedException accessDeniedException) throws IOException {
 
         logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" +
                 "Referer: " + request.getHeader("referer"));
diff --git a/src/main/java/org/joychou/security/ssrf/SSRFChecker.java b/src/main/java/org/joychou/security/ssrf/SSRFChecker.java
@@ -50,7 +50,7 @@ public static boolean checkURLFckSSRF(String url) {
     /**
      * 解析url的ip，判断ip是否是内网ip，所以TTL设置为0的情况不适用。
      * url只允许https或者http，并且设置默认连接超时时间。
-     * 该修复方案会主动请求重定向后的链接。最好用Hook方式获取到所有url后，进行判断，代码待续…
+     * 该修复方案会主动请求重定向后的链接。
      *
      * @param url        check的url
      * @param checkTimes 设置重定向检测的最大次数，建议设置为10次
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
@@ -146,10 +146,16 @@ public static String Jsoup(String url) {
     }
 
 
-    public static void okhttp(String url) throws IOException {
+    /**
+     * The default setting of followRedirects is true. The option of followRedirects is true.
+     *
+     * UserAgent is <code>okhttp/2.5.0</code>.
+     */
+    public static String okhttp(String url) throws IOException {
         OkHttpClient client = new OkHttpClient();
+        // client.setFollowRedirects(false);
         com.squareup.okhttp.Request ok_http = new com.squareup.okhttp.Request.Builder().url(url).build();
-        client.newCall(ok_http).execute();
+        return client.newCall(ok_http).execute().body().string();
     }
 
 
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
@@ -8,6 +8,7 @@
     <p>Hello <span th:text="${user}"></span>.</p>
     <p>Welcome to login java-sec-code application. <a th:href="@{/appInfo}">Application Infomation</a></p>
     <p>
+        <a th:href="@{/swagger-ui.html}">Swagger</a>&nbsp;&nbsp;
         <a th:href="@{/codeinject?filepath=/tmp;cat /etc/passwd}">CmdInject</a>&nbsp;&nbsp;
         <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
         <a th:href="@{/file/pic}">FileUpload</a>&nbsp;&nbsp;

Original file line number	Diff line number	Diff line change
`@@ -150,23 +150,18 @@ public String ImageIO(@RequestParam String url) {`
`150`	`150`	`}`
`151`	`151`
`152`	`152`
`153`		`- /**`
`154`		`- * The default setting of followRedirects is true.`
`155`		`- * UserAgent is <code>okhttp/2.5.0</code>.`
`156`		`- */`
`157`	`153`	`@GetMapping("/okhttp/sec")`
`158`	`154`	`public String okhttp(@RequestParam String url) {`
`159`	`155`
`160`	`156`	`try {`
`161`	`157`	`SecurityUtil.startSSRFHook();`
`162`		`- HttpUtils.okhttp(url);`
	`158`	`+ return HttpUtils.okhttp(url);`
`163`	`159`	`} catch (SSRFException \| IOException e) {`
`164`	`160`	`return e.getMessage();`
`165`	`161`	`} finally {`
`166`	`162`	`SecurityUtil.stopSSRFHook();`
`167`	`163`	`}`
`168`	`164`
`169`		`- return "okhttp ssrf test";`
`170`	`165`	`}`
`171`	`166`
`172`	`167`
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ public static boolean checkURLFckSSRF(String url) {`
`50`	`50`	`/**`
`51`	`51`	`* 解析url的ip，判断ip是否是内网ip，所以TTL设置为0的情况不适用。`
`52`	`52`	`* url只允许https或者http，并且设置默认连接超时时间。`
`53`		`- * 该修复方案会主动请求重定向后的链接。最好用Hook方式获取到所有url后，进行判断，代码待续…`
	`53`	`+ * 该修复方案会主动请求重定向后的链接。`
`54`	`54`	`*`
`55`	`55`	`* @param url check的url`
`56`	`56`	`* @param checkTimes 设置重定向检测的最大次数，建议设置为10次`