Bug fix.The method of fix ssrf can cause dos.

Author: JoyChou93

src/main/java/org/joychou/controller/SSRF.java

@@ -23,16 +23,15 @@
 
 
 import javax.imageio.ImageIO;
-import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.*;
 import java.net.*;
 
 
 /**
- * @author  JoyChou ([email protected])
- * @date    2017.12.28
- * @desc    Java ssrf vuls code.
+ * Java SSRF vuln or security code.
+ *
+ * @author JoyChou @2017-12-28
  */
 
 @RestController
@@ -42,62 +41,59 @@ public class SSRF {
     private static Logger logger = LoggerFactory.getLogger(SSRF.class);
 
     @RequestMapping("/urlConnection")
-    public static String ssrf_URLConnection(HttpServletRequest request)
+    public static String ssrf_URLConnection(@RequestParam String url)
     {
         try {
-            String url = request.getParameter("url");
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
             BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); //send request
             String inputLine;
-            StringBuffer html = new StringBuffer();
+            StringBuilder html = new StringBuilder();
 
             while ((inputLine = in.readLine()) != null) {
                 html.append(inputLine);
             }
             in.close();
             return html.toString();
         }catch(Exception e) {
-            e.printStackTrace();
+            logger.error(e.toString());
             return "fail";
         }
     }
 
 
     @RequestMapping("/HttpURLConnection")
     @ResponseBody
-    public static String ssrf_httpURLConnection(HttpServletRequest request)
+    public static String ssrf_httpURLConnection(@RequestParam String url)
     {
         try {
-            String url = request.getParameter("url");
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
             HttpURLConnection httpUrl = (HttpURLConnection)urlConnection;
             BufferedReader in = new BufferedReader(new InputStreamReader(httpUrl.getInputStream())); //send request
             String inputLine;
-            StringBuffer html = new StringBuffer();
+            StringBuilder html = new StringBuilder();
 
             while ((inputLine = in.readLine()) != null) {
                 html.append(inputLine);
             }
             in.close();
             return html.toString();
         }catch(Exception e) {
-            e.printStackTrace();
+            logger.error(e.toString());
             return "fail";
         }
     }
 
 
     @RequestMapping("/Request")
     @ResponseBody
-    public static String ssrf_Request(HttpServletRequest request)
+    public static String ssrf_Request(@RequestParam String url)
     {
         try {
-            String url = request.getParameter("url");
             return Request.Get(url).execute().returnContent().toString();
         }catch(Exception e) {
-            e.printStackTrace();
+            logger.error(e.toString());
             return "fail";
         }
     }
@@ -113,10 +109,9 @@ public static String ssrf_Request(HttpServletRequest request)
      */
     @RequestMapping("/openStream")
     @ResponseBody
-    public static void ssrf_openStream (HttpServletRequest request, HttpServletResponse response) throws IOException {
+    public static void ssrf_openStream (@RequestParam String url, HttpServletResponse response) throws IOException {
         InputStream inputStream = null;
         OutputStream outputStream = null;
-        String url = request.getParameter("url");
         try {
             String downLoadImgFileName = Files.getNameWithoutExtension(url) + "." + Files.getFileExtension(url);
             // download
@@ -132,7 +127,7 @@ public static void ssrf_openStream (HttpServletRequest request, HttpServletRespo
             }
 
         }catch (Exception e) {
-            e.printStackTrace();
+            logger.error(e.toString());
         }finally {
             if (inputStream != null) {
                 inputStream.close();
@@ -147,20 +142,19 @@ public static void ssrf_openStream (HttpServletRequest request, HttpServletRespo
 
     @RequestMapping("/ImageIO")
     @ResponseBody
-    public static void ssrf_ImageIO(HttpServletRequest request) {
-        String url = request.getParameter("url");
+    public static void ssrf_ImageIO(@RequestParam String url) {
         try {
             URL u = new URL(url);
             ImageIO.read(u); // send request
         } catch (Exception e) {
+            logger.error(e.toString());
         }
     }
 
 
     @RequestMapping("/okhttp")
     @ResponseBody
-    public static void ssrf_okhttp(HttpServletRequest request) throws IOException {
-        String url = request.getParameter("url");
+    public static void ssrf_okhttp(@RequestParam String url) throws IOException {
         OkHttpClient client = new OkHttpClient();
         com.squareup.okhttp.Request ok_http = new com.squareup.okhttp.Request.Builder().url(url).build();
         client.newCall(ok_http).execute();
@@ -180,8 +174,8 @@ public static String ssrf_HttpClient(@RequestParam String url) {
         try {
             HttpResponse httpResponse = client.execute(httpGet); // send request
             BufferedReader rd = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent()));
-            StringBuffer result = new StringBuffer();
-            String line = "";
+            StringBuilder result = new StringBuilder();
+            String line = null;
             while ((line = rd.readLine()) != null) {
                 result.append(line);
             }
@@ -236,8 +230,8 @@ public static String commonsHttpClient(@RequestParam String url) {
 
     /**
      * jsoup是一款Java的HTML解析器，可直接解析某个URL地址、HTML文本内容。
-     * http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com
      *
+     * http://localhost:8080/ssrf/Jsoup?url=http://www.baidu.com
      */
     @RequestMapping("/Jsoup")
     @ResponseBody
@@ -251,9 +245,11 @@ public static String Jsoup(@RequestParam String url) {
                     .cookie("name", "joychou") // request请求带的cookie
                     .followRedirects(false)
                     .execute().parse();
+            logger.info(doc.html());
         } catch (MalformedURLException e) {
             return "exception: " + e.toString();
-        } catch (Exception e) {
+        } catch (IOException e) {
+            logger.error(e.toString());
             return "exception: " + e.toString();
         }
 
@@ -271,7 +267,7 @@ public static String Jsoup(@RequestParam String url) {
     public static String IOUtils(@RequestParam String url) {
         try {
             // IOUtils.toByteArray内部用URLConnection进行了封装
-            byte[] b = IOUtils.toByteArray(URI.create(url));
+            IOUtils.toByteArray(URI.create(url));
         } catch (Exception e) {
             return "exception: " + e.toString();
         }

src/main/java/org/joychou/controller/XSS.java

@@ -1,35 +1,24 @@
 package org.joychou.controller;
 
 import org.apache.commons.lang.StringUtils;
-import org.joychou.dao.User;
-import org.joychou.mapper.UserMapper;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.CookieValue;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.annotation.Resource;
 import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.Statement;
+
 
 /**
- * @author   JoyChou ([email protected])
- * @date     2018.01.02
- * @desc     XSS vuls code
+ * @author JoyChou @2018-01-02
  */
-
 @Controller
 @RequestMapping("/xss")
 public class XSS {
 
     /**
-     * Vul Code.
+     * Vuln Code.
      * ReflectXSS
      * http://localhost:8080/xss/reflect?xss=<script>alert(1)</script>
      *
@@ -71,6 +60,7 @@ public String show(@CookieValue("xss") String xss)
     {
         return xss;
     }
+
     /**
      * safe Code.
      * http://localhost:8080/xss/safe
@@ -82,7 +72,7 @@ public static String safe(String xss){
         return encode(xss);
     }
 
-    public static String encode(String origin) {
+    private static String encode(String origin) {
         origin = StringUtils.replace(origin, "&", "&amp;");
         origin = StringUtils.replace(origin, "<", "&lt;");
         origin = StringUtils.replace(origin, ">", "&gt;");

src/main/java/org/joychou/security/SSRFChecker.java

@@ -8,21 +8,24 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-public class SSRFChecker {
+class SSRFChecker {
 
-    private static int connectTime = 5*1000;  // 设置连接超时时间5s
     private static Logger logger = LoggerFactory.getLogger(SSRFChecker.class);
+
     /**
      * 解析url的ip，判断ip是否是内网ip，所以TTL设置为0的情况不适用。
      * url只允许https或者http，并且设置默认连接超时时间。
      * 该修复方案会主动请求重定向后的链接。最好用Hook方式获取到所有url后，进行判断，代码待续…
      *
      * @param url check的url
+     * @param checkTimes 设置重定向检测的最大次数，建议设置为10次
      * @return 安全返回true，危险返回false
      */
-    public static Boolean checkSSRF(String url) {
+    static Boolean checkSSRF(String url, int checkTimes) {
 
         HttpURLConnection connection;
+        int connectTime = 5*1000;  // 设置连接超时时间5s
+        int i = 1;
         String finalUrl = url;
         try {
             do {
@@ -45,7 +48,11 @@ public static Boolean checkSSRF(String url) {
                     if (null == redirectedUrl)
                         break;
                     finalUrl = redirectedUrl;
-                    // System.out.println("redirected url: " + finalUrl);
+                    i += 1;  // 重定向次数加1
+                    logger.info("redirected url: " + finalUrl);
+                    if(i == checkTimes) {
+                        return false;
+                    }
                 } else
                     break;
             } while (connection.getResponseCode() != HttpURLConnection.HTTP_OK);
@@ -62,7 +69,7 @@ public static Boolean checkSSRF(String url) {
      *
      * @return 如果是内网IP，返回true；非内网IP，返回false。
      */
-    public static Boolean isInnerIPByUrl(String url) {
+     static Boolean isInnerIPByUrl(String url) {
         String host = url2host(url);
         if (host.equals("")) {
             return true; // 异常URL当成内网IP等非法URL处理

src/main/java/org/joychou/security/SecurityUtil.java

@@ -91,11 +91,8 @@ public static String checkUrlByGuava(String url, String[] urlwhitelist){
      * @return 安全返回true，危险返回false
      */
     public static Boolean checkSSRF(String url) {
-        if (SSRFChecker.checkSSRF(url)) {
-            return true;
-        } else {
-            return false;
-        }
+        int checkTimes = 10;
+        return SSRFChecker.checkSSRF(url, checkTimes);
     }
 
 
@@ -143,7 +140,7 @@ public static String pathFilter(String filepath) {
             }
         }
 
-        if (temp.indexOf("..") != -1 || temp.charAt(0) == '/') {
+        if (temp.contains("..") || temp.charAt(0) == '/') {
             return null;
         }
 

src/main/java/org/joychou/security/WebSecurityConfig.java

@@ -43,7 +43,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
         public boolean matches(HttpServletRequest request) {
 
             // 配置需要CSRF校验的请求方式，
-            HashSet<String> allowedMethods = new HashSet<String>(Arrays.asList(csrfMethod));
+            HashSet<String> allowedMethods = new HashSet<>(Arrays.asList(csrfMethod));
             // return false表示不校验csrf
             if (!csrfEnabled) {
                 return false;
@@ -74,7 +74,8 @@ protected void configure(HttpSecurity http) throws Exception {
                 .successHandler(new LoginSuccessHandler())
                 .failureHandler(new LoginFailureHandler()).and()
                 .logout().logoutUrl("/logout").permitAll().and()
-                .rememberMe(); // tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会话将过期。为了解决这一问题，引入rememberMe功能。
+                // tomcat默认JSESSION会话有效时间为30分钟，所以30分钟不操作会话将过期。为了解决这一问题，引入rememberMe功能。
+                .rememberMe();
     }
 
     /**
@@ -84,7 +85,7 @@ protected void configure(HttpSecurity http) throws Exception {
     CorsConfigurationSource corsConfigurationSource()
     {
         // Set cors origin white list
-        ArrayList<String> allowOrigins = new ArrayList<String>();
+        ArrayList<String> allowOrigins = new ArrayList<>();
         allowOrigins.add("joychou.org");
         allowOrigins.add("https://test.joychou.me"); // 区分http和https，并且默认不会拦截同域请求。