add configure code of json to jsonp

Author: JoyChou93

README.md

@@ -15,7 +15,7 @@ Each vulnerability type code has a security vulnerability by default unless ther
 
 Sort by letter.
 
-- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml)
+- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)

README_zh.md

@@ -12,7 +12,7 @@
 
 ## 漏洞代码
 
-- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml)
+- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)

src/main/java/org/joychou/controller/JSONP.java

@@ -0,0 +1,89 @@
+package org.joychou.controller.jsonp;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.JSONObject;
+import org.joychou.security.SecurityUtil;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+
+
+/**
+ * @author  JoyChou ([email protected]) @ 2018.10.24
+ * https://github.com/JoyChou93/java-sec-code/wiki/JSONP
+ */
+
+@RestController
+@RequestMapping("/jsonp")
+public class JSONP {
+
+    private static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
+    private static String[] urlwhitelist = {"joychou.com", "joychou.org"};
+
+
+    /**
+     * Set the response content-type to application/javascript.
+     *
+     * http://localhost:8080/jsonp/referer?callback=test
+     *
+     */
+    @RequestMapping(value = "/referer", produces = "application/javascript")
+    private static String referer(HttpServletRequest request, HttpServletResponse response) {
+        String callback = request.getParameter("callback");
+        return callback + "(" + info + ")";
+    }
+
+    /**
+     * Direct access does not check Referer, non-direct access check referer.
+     * Developer like to do jsonp testing like this.
+     *
+     * http://localhost:8080/jsonp/emptyReferer?callback=test
+     *
+     */
+    @RequestMapping(value = "/emptyReferer", produces = "application/javascript")
+    private static String emptyReferer(HttpServletRequest request, HttpServletResponse response) {
+        String referer = request.getHeader("referer");
+
+        if (null != referer && !SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
+            return "error";
+        }
+
+        String callback = request.getParameter("callback");
+        return callback + "(" + info + ")";
+    }
+
+    /**
+     * Adding callback or cback on parameter can automatically return jsonp data.
+     * http://localhost:8080/jsonp/advice?callback=test
+     * http://localhost:8080/jsonp/advice?cback=test
+     *
+     * @return Only return object, AbstractJsonpResponseBodyAdvice can be used successfully.
+     *         Such as JSONOjbect or JavaBean. String type cannot be used.
+     */
+    @RequestMapping(value = "/advice", produces = MediaType.APPLICATION_JSON_VALUE)
+    public JSONObject advice() {
+        return JSON.parseObject(info);
+
+    }
+
+    /**
+     * Safe code.
+     * http://localhost:8080/jsonp/sec?callback=test
+     */
+    @RequestMapping(value = "/sec", produces = "application/javascript")
+    private static String safecode(HttpServletRequest request, HttpServletResponse response) {
+        String referer = request.getHeader("referer");
+
+        if (!SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
+            return "error";
+        }
+
+        String callback = request.getParameter("callback");
+        return callback + "(" + info + ")";
+    }
+
+
+
+}

src/main/java/org/joychou/controller/jsonp/JSONP.java

@@ -0,0 +1,12 @@
+package org.joychou.controller.jsonp;
+
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.servlet.mvc.method.annotation.AbstractJsonpResponseBodyAdvice;
+
+@ControllerAdvice
+public class JSONPAdvice extends AbstractJsonpResponseBodyAdvice {
+
+    public JSONPAdvice() {
+        super("callback", "cback");  // Can set multiple paramNames
+    }
+}

src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java

@@ -7,6 +7,7 @@
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import org.apache.commons.lang.StringUtils;
+import org.springframework.beans.factory.annotation.Value;
 
 
 /**
@@ -19,6 +20,9 @@
 @WebFilter(filterName = "referSecCheck", urlPatterns = "/*")
 public class secFilter implements Filter {
 
+    @Value("${org.joychou.security.jsonp}")
+    private Boolean jsonpSwitch;  // get application.properties configure
+
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
 
@@ -28,6 +32,12 @@ public void init(FilterConfig filterConfig) throws ServletException {
     public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain)
             throws IOException, ServletException {
 
+
+        // If don't check referer, return.
+        if (!jsonpSwitch) {
+            return ;
+        }
+
         HttpServletRequest request = (HttpServletRequest) req;
         HttpServletResponse response = (HttpServletResponse) res;
 

src/main/java/org/joychou/security/secFilter.java

@@ -1,4 +1,7 @@
 
 # Spring Boot Actuator Vulnerable Config
 management.security.enabled=false
-logging.config=classpath:logback-online.xml
+logging.config=classpath:logback-online.xml
+
+# jsonp check referer switch
+org.joychou.security.jsonp = true