From 65a6bd4f72c985b4f31821a732e7da39050910ac Mon Sep 17 00:00:00 2001
From: threedr3am <929811313@qq.com>
Date: Fri, 23 Feb 2024 01:04:29 +0800
Subject: [PATCH 1/2] add CVE-2024-22243 & optimize project
---
apache-poi/pom.xml | 2 +-
.../dubbo-hessian2-safe-reinforcement/pom.xml | 1 -
fastjson/pom.xml | 11 +++
jackson/pom.xml | 2 +-
pom.xml | 83 -------------------
shiro/auth-bypass-shiro-1-4-1/pom.xml | 1 -
shiro/auth-bypass-shiro-1-5-1/pom.xml | 1 -
shiro/auth-bypass-shiro-1-5-3/pom.xml | 1 -
shiro/auth-bypass-shiro-1-7-1/pom.xml | 1 -
shiro/auth-bypass-shiro-1-8-0/pom.xml | 1 -
spring/pom.xml | 1 +
.../pom.xml | 1 -
.../pom.xml | 1 -
.../pom.xml | 1 -
spring/spring-uricomponentsbuilder/pom.xml | 27 ++++++
.../bug/spring/uricomponentsbuilder/Main.java | 15 ++++
.../controller/OAuthController.java | 74 +++++++++++++++++
17 files changed, 130 insertions(+), 94 deletions(-)
create mode 100644 spring/spring-uricomponentsbuilder/pom.xml
create mode 100644 spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java
create mode 100644 spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java
diff --git a/apache-poi/pom.xml b/apache-poi/pom.xml
index 5bc7ea1f..99da6a52 100644
--- a/apache-poi/pom.xml
+++ b/apache-poi/pom.xml
@@ -9,7 +9,7 @@
4.0.0
- apache-com.threedr3am.bug.poi
+ apache-poi
pom
cve-2014-3529
diff --git a/dubbo/dubbo-hessian2-safe-reinforcement/pom.xml b/dubbo/dubbo-hessian2-safe-reinforcement/pom.xml
index 11355cdc..34ed8817 100644
--- a/dubbo/dubbo-hessian2-safe-reinforcement/pom.xml
+++ b/dubbo/dubbo-hessian2-safe-reinforcement/pom.xml
@@ -6,7 +6,6 @@
org.springframework.boot
spring-boot-starter-parent
2.1.11.RELEASE
-
4.0.0
diff --git a/fastjson/pom.xml b/fastjson/pom.xml
index a93758cc..c6585ab1 100644
--- a/fastjson/pom.xml
+++ b/fastjson/pom.xml
@@ -19,6 +19,17 @@
1.2.68
+
+ org.python
+ jython
+ 2.5.3-rc1
+
+
+ org.postgresql
+ postgresql
+ 42.5.0
+
+
com.xyh
common
diff --git a/jackson/pom.xml b/jackson/pom.xml
index 24b3e34b..50b0dde3 100644
--- a/jackson/pom.xml
+++ b/jackson/pom.xml
@@ -88,7 +88,7 @@
- acc
+
com.codahale.metrics
metrics-healthchecks
3.0.2
diff --git a/pom.xml b/pom.xml
index e09a4391..0e883edd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -47,92 +47,9 @@
4.11
test
-
-
-
- org.mozilla
- rhino
- 1.7.6
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- maven-clean-plugin
- 3.0.0
-
-
-
- maven-resources-plugin
- 3.0.2
-
-
- maven-compiler-plugin
- 3.7.0
-
-
- maven-surefire-plugin
- 2.20.1
-
-
- maven-jar-plugin
- 3.0.2
-
-
- maven-install-plugin
- 2.5.2
-
-
- maven-deploy-plugin
- 2.8.2
-
-
-
org.apache.maven.plugins
diff --git a/shiro/auth-bypass-shiro-1-4-1/pom.xml b/shiro/auth-bypass-shiro-1-4-1/pom.xml
index 18215b3a..0b14eb26 100644
--- a/shiro/auth-bypass-shiro-1-4-1/pom.xml
+++ b/shiro/auth-bypass-shiro-1-4-1/pom.xml
@@ -6,7 +6,6 @@
org.springframework.boot
spring-boot-starter-parent
1.5.22.RELEASE
-
4.0.0
diff --git a/shiro/auth-bypass-shiro-1-5-1/pom.xml b/shiro/auth-bypass-shiro-1-5-1/pom.xml
index 92fb2643..033eba39 100644
--- a/shiro/auth-bypass-shiro-1-5-1/pom.xml
+++ b/shiro/auth-bypass-shiro-1-5-1/pom.xml
@@ -6,7 +6,6 @@
org.springframework.boot
spring-boot-starter-parent
1.5.22.RELEASE
-
4.0.0
diff --git a/shiro/auth-bypass-shiro-1-5-3/pom.xml b/shiro/auth-bypass-shiro-1-5-3/pom.xml
index 197a9891..6afbe308 100644
--- a/shiro/auth-bypass-shiro-1-5-3/pom.xml
+++ b/shiro/auth-bypass-shiro-1-5-3/pom.xml
@@ -6,7 +6,6 @@
org.springframework.boot
spring-boot-starter-parent
1.5.22.RELEASE
-
4.0.0
diff --git a/shiro/auth-bypass-shiro-1-7-1/pom.xml b/shiro/auth-bypass-shiro-1-7-1/pom.xml
index 079c2a0a..0c6d9b08 100644
--- a/shiro/auth-bypass-shiro-1-7-1/pom.xml
+++ b/shiro/auth-bypass-shiro-1-7-1/pom.xml
@@ -6,7 +6,6 @@
org.springframework.boot
spring-boot-starter-parent
1.5.22.RELEASE
-
4.0.0
diff --git a/shiro/auth-bypass-shiro-1-8-0/pom.xml b/shiro/auth-bypass-shiro-1-8-0/pom.xml
index 2de5d4ca..ac7304cb 100644
--- a/shiro/auth-bypass-shiro-1-8-0/pom.xml
+++ b/shiro/auth-bypass-shiro-1-8-0/pom.xml
@@ -6,7 +6,6 @@
org.springframework.boot
spring-boot-starter-parent
1.5.22.RELEASE
-
4.0.0
diff --git a/spring/pom.xml b/spring/pom.xml
index 680c8649..dffacb44 100644
--- a/spring/pom.xml
+++ b/spring/pom.xml
@@ -15,6 +15,7 @@
spring-boot-actuator-bug
spring-cloud-config-server-CVE-2020-5410
spring-data-mongodb-spel-CVE-2022-22980
+ spring-uricomponentsbuilder
diff --git a/spring/spring-cloud-config-server(CVE-2019-3799)/pom.xml b/spring/spring-cloud-config-server(CVE-2019-3799)/pom.xml
index 7d6dd8ca..be2f2b57 100644
--- a/spring/spring-cloud-config-server(CVE-2019-3799)/pom.xml
+++ b/spring/spring-cloud-config-server(CVE-2019-3799)/pom.xml
@@ -6,7 +6,6 @@
org.springframework.boot
spring-boot-starter-parent
2.0.3.RELEASE
-
4.0.0
diff --git a/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml b/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml
index b7035208..856737a0 100644
--- a/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml
+++ b/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml
@@ -6,7 +6,6 @@
org.springframework.boot
spring-boot-starter-parent
2.2.1.RELEASE
-
4.0.0
diff --git a/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml b/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml
index d693c060..dc3f703d 100644
--- a/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml
+++ b/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml
@@ -6,7 +6,6 @@
org.springframework.boot
spring-boot-starter-parent
2.2.2.RELEASE
-
4.0.0
spring-cloud-config-server-CVE-2020-5410
diff --git a/spring/spring-uricomponentsbuilder/pom.xml b/spring/spring-uricomponentsbuilder/pom.xml
new file mode 100644
index 00000000..c5fb0b4c
--- /dev/null
+++ b/spring/spring-uricomponentsbuilder/pom.xml
@@ -0,0 +1,27 @@
+
+
+
+ org.springframework.boot
+ spring-boot-starter-parent
+ 2.3.5.RELEASE
+
+
+ 4.0.0
+
+ spring-uricomponentsbuilder
+
+
+ 8
+ 8
+
+
+
+
+ org.springframework.boot
+ spring-boot-starter-web
+
+
+
+
\ No newline at end of file
diff --git a/spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java b/spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java
new file mode 100644
index 00000000..a2bb9780
--- /dev/null
+++ b/spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java
@@ -0,0 +1,15 @@
+package com.threedr3am.bug.spring.uricomponentsbuilder;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+/**
+ * @author threedr3am
+ */
+@SpringBootApplication
+public class Main {
+
+ public static void main(String[] args) {
+ SpringApplication.run(Main.class, args);
+ }
+}
diff --git a/spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java b/spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java
new file mode 100644
index 00000000..4821ff40
--- /dev/null
+++ b/spring/spring-uricomponentsbuilder/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java
@@ -0,0 +1,74 @@
+package com.threedr3am.bug.spring.uricomponentsbuilder.controller;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.util.UriComponents;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * @author threedr3am
+ *
+ * CVE-2024-22243
+ *
+ * Spring Framework 是一个开源的Java应用程序框架,UriComponentsBuilder是Spring Web中用于构建和操作URI的工具类。
+ * 受影响版本中,由于 UriComponentsBuilder 处理URL时未正确过滤用户信息中的方括号 `[` ,攻击者可构造包含方括号的恶意URL绕过主机名验证。
+ * 如果应用程序依赖UriComponentsBuilder.fromUriString()等方法对URL进行解析和校验,则可能导致验证绕过,出现开放重定向或SSRF漏洞。
+ *
+ * ### 修复方案
+ * 1. 将 org.springframework:spring-web 升级至 6.1.4 及以上版本
+ * 2. 将 org.springframework:spring-web 升级至 6.0.17 及以上版本
+ * 3. 将 org.springframework:spring-web 升级至 5.3.32 及以上版本
+ *
+ * ### 参考链接
+ * 1. https://www.oscs1024.com/hd/MPS-uwzo-gx91
+ * 2. https://spring.io/security/cve-2024-22243
+ * 3. https://github.com/spring-projects/spring-framework/commit/7ec5c994c147f0e168149498b1c9d4a249d69e87
+ * 4. https://nvd.nist.gov/vuln/detail/CVE-2024-22243
+ */
+@Controller
+@RequestMapping("/oauth")
+public class OAuthController {
+
+ private static final Set whiteDomains = new HashSet<>(Arrays.asList(new String[]{
+ ".fuckpdd.com"
+ }));
+
+ /**
+ * 一般绕过oauth的host校验,可以开放重定向到恶意站点劫持code
+ * 访问:http://127.0.0.1:8080/oauth?redirect_uri=http%3A%2F%2Fwww.fuckpdd.com%5B%40www.evil.com%2Ftou
+ *
+ *
+ * @param redirectUri http://www.fuckpdd.com[@www.evil.com/tou
+ * @return
+ */
+ @GetMapping
+ public String oauth(@RequestParam(name = "redirect_uri") String redirectUri, HttpServletResponse response) throws IOException {
+ UriComponents uriComponents = UriComponentsBuilder.fromUriString(redirectUri).build();
+ String schema = uriComponents.getScheme();
+ String host = uriComponents.getHost();
+ String path = uriComponents.getPath();
+
+ System.out.printf("schema:%s\n", schema);
+ System.out.printf("host:%s\n", host);
+ System.out.printf("path:%s\n", path);
+
+ boolean pass = false;
+ for (String whiteDomain : whiteDomains) {
+ if (host.endsWith(whiteDomain)) {
+ pass = true;
+ break;
+ }
+ }
+ if (!pass) return "error";
+
+ return "redirect:" + redirectUri;
+ }
+}
From 3f7fe9d8eab29f88fd0c6fb8362d21696b5cb95c Mon Sep 17 00:00:00 2001
From: threedr3am <929811313@qq.com>
Date: Thu, 14 Mar 2024 23:05:17 +0800
Subject: [PATCH 2/2] fix any pom & add CVE-2024-22259 demo
---
shiro/auth-bypass-shiro-1-4-1/pom.xml | 1 +
shiro/auth-bypass-shiro-1-5-1/pom.xml | 1 +
shiro/auth-bypass-shiro-1-5-3/pom.xml | 1 +
shiro/auth-bypass-shiro-1-7-1/pom.xml | 1 +
shiro/auth-bypass-shiro-1-8-0/pom.xml | 1 +
.../actuator-1.2/pom.xml | 1 +
.../actuator-1.3/pom.xml | 1 +
.../actuator-1.4/pom.xml | 1 +
.../actuator-1.5/pom.xml | 13 +---
.../actuator-2.0/pom.xml | 13 +---
.../pom.xml | 1 +
.../bug/spring/config/server/Application.java | 0
.../spring/config/server/package-info.java | 0
.../src/main/resources/application.yml | 0
.../pom.xml | 1 +
.../pom.xml | 1 +
.../pom.xml | 1 +
spring/spring-uricomponentsbuilder-2/pom.xml | 33 +++++++++
.../bug/spring/uricomponentsbuilder/Main.java | 15 ++++
.../controller/OAuthController.java | 74 +++++++++++++++++++
spring/spring-uricomponentsbuilder/pom.xml | 8 +-
21 files changed, 143 insertions(+), 25 deletions(-)
rename spring/{spring-cloud-config-server(CVE-2019-3799) => spring-cloud-config-server-CVE-2019-3799}/pom.xml (95%)
rename spring/{spring-cloud-config-server(CVE-2019-3799) => spring-cloud-config-server-CVE-2019-3799}/src/main/java/com/threedr3am/bug/spring/config/server/Application.java (100%)
rename spring/{spring-cloud-config-server(CVE-2019-3799) => spring-cloud-config-server-CVE-2019-3799}/src/main/java/com/threedr3am/bug/spring/config/server/package-info.java (100%)
rename spring/{spring-cloud-config-server(CVE-2019-3799) => spring-cloud-config-server-CVE-2019-3799}/src/main/resources/application.yml (100%)
create mode 100644 spring/spring-uricomponentsbuilder-2/pom.xml
create mode 100644 spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java
create mode 100644 spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java
diff --git a/shiro/auth-bypass-shiro-1-4-1/pom.xml b/shiro/auth-bypass-shiro-1-4-1/pom.xml
index 0b14eb26..65600748 100644
--- a/shiro/auth-bypass-shiro-1-4-1/pom.xml
+++ b/shiro/auth-bypass-shiro-1-4-1/pom.xml
@@ -6,6 +6,7 @@
org.springframework.boot
spring-boot-starter-parent
1.5.22.RELEASE
+
4.0.0
diff --git a/shiro/auth-bypass-shiro-1-5-1/pom.xml b/shiro/auth-bypass-shiro-1-5-1/pom.xml
index 033eba39..1423f473 100644
--- a/shiro/auth-bypass-shiro-1-5-1/pom.xml
+++ b/shiro/auth-bypass-shiro-1-5-1/pom.xml
@@ -6,6 +6,7 @@
org.springframework.boot
spring-boot-starter-parent
1.5.22.RELEASE
+
4.0.0
diff --git a/shiro/auth-bypass-shiro-1-5-3/pom.xml b/shiro/auth-bypass-shiro-1-5-3/pom.xml
index 6afbe308..d00854fe 100644
--- a/shiro/auth-bypass-shiro-1-5-3/pom.xml
+++ b/shiro/auth-bypass-shiro-1-5-3/pom.xml
@@ -6,6 +6,7 @@
org.springframework.boot
spring-boot-starter-parent
1.5.22.RELEASE
+
4.0.0
diff --git a/shiro/auth-bypass-shiro-1-7-1/pom.xml b/shiro/auth-bypass-shiro-1-7-1/pom.xml
index 0c6d9b08..842e2b1c 100644
--- a/shiro/auth-bypass-shiro-1-7-1/pom.xml
+++ b/shiro/auth-bypass-shiro-1-7-1/pom.xml
@@ -6,6 +6,7 @@
org.springframework.boot
spring-boot-starter-parent
1.5.22.RELEASE
+
4.0.0
diff --git a/shiro/auth-bypass-shiro-1-8-0/pom.xml b/shiro/auth-bypass-shiro-1-8-0/pom.xml
index ac7304cb..bcf8a10c 100644
--- a/shiro/auth-bypass-shiro-1-8-0/pom.xml
+++ b/shiro/auth-bypass-shiro-1-8-0/pom.xml
@@ -6,6 +6,7 @@
org.springframework.boot
spring-boot-starter-parent
1.5.22.RELEASE
+
4.0.0
diff --git a/spring/spring-boot-actuator-bug/actuator-1.2/pom.xml b/spring/spring-boot-actuator-bug/actuator-1.2/pom.xml
index e5b439b1..9c96b228 100644
--- a/spring/spring-boot-actuator-bug/actuator-1.2/pom.xml
+++ b/spring/spring-boot-actuator-bug/actuator-1.2/pom.xml
@@ -6,6 +6,7 @@
org.springframework.boot
spring-boot-starter-parent
1.2.8.RELEASE
+
4.0.0
diff --git a/spring/spring-boot-actuator-bug/actuator-1.3/pom.xml b/spring/spring-boot-actuator-bug/actuator-1.3/pom.xml
index b9090740..60df3a39 100644
--- a/spring/spring-boot-actuator-bug/actuator-1.3/pom.xml
+++ b/spring/spring-boot-actuator-bug/actuator-1.3/pom.xml
@@ -6,6 +6,7 @@
org.springframework.boot
spring-boot-starter-parent
1.3.8.RELEASE
+
4.0.0
diff --git a/spring/spring-boot-actuator-bug/actuator-1.4/pom.xml b/spring/spring-boot-actuator-bug/actuator-1.4/pom.xml
index 0bfe7d4b..a7bf9e37 100644
--- a/spring/spring-boot-actuator-bug/actuator-1.4/pom.xml
+++ b/spring/spring-boot-actuator-bug/actuator-1.4/pom.xml
@@ -6,6 +6,7 @@
org.springframework.boot
spring-boot-starter-parent
1.4.7.RELEASE
+
4.0.0
diff --git a/spring/spring-boot-actuator-bug/actuator-1.5/pom.xml b/spring/spring-boot-actuator-bug/actuator-1.5/pom.xml
index 8eb31588..3f145784 100644
--- a/spring/spring-boot-actuator-bug/actuator-1.5/pom.xml
+++ b/spring/spring-boot-actuator-bug/actuator-1.5/pom.xml
@@ -6,6 +6,7 @@
org.springframework.boot
spring-boot-starter-parent
1.5.16.RELEASE
+
4.0.0
@@ -39,18 +40,6 @@
-
-
-
- org.springframework.boot
- spring-boot-maven-plugin
-
- true
-
-
-
-
-
diff --git a/spring/spring-boot-actuator-bug/actuator-2.0/pom.xml b/spring/spring-boot-actuator-bug/actuator-2.0/pom.xml
index e689f443..26e0b1b4 100644
--- a/spring/spring-boot-actuator-bug/actuator-2.0/pom.xml
+++ b/spring/spring-boot-actuator-bug/actuator-2.0/pom.xml
@@ -6,6 +6,7 @@
org.springframework.boot
spring-boot-starter-parent
2.0.5.RELEASE
+
4.0.0
@@ -56,18 +57,6 @@
-
-
-
- org.springframework.boot
- spring-boot-maven-plugin
-
- true
-
-
-
-
-
diff --git a/spring/spring-cloud-config-server(CVE-2019-3799)/pom.xml b/spring/spring-cloud-config-server-CVE-2019-3799/pom.xml
similarity index 95%
rename from spring/spring-cloud-config-server(CVE-2019-3799)/pom.xml
rename to spring/spring-cloud-config-server-CVE-2019-3799/pom.xml
index be2f2b57..a72a9fb4 100644
--- a/spring/spring-cloud-config-server(CVE-2019-3799)/pom.xml
+++ b/spring/spring-cloud-config-server-CVE-2019-3799/pom.xml
@@ -6,6 +6,7 @@
org.springframework.boot
spring-boot-starter-parent
2.0.3.RELEASE
+
4.0.0
diff --git a/spring/spring-cloud-config-server(CVE-2019-3799)/src/main/java/com/threedr3am/bug/spring/config/server/Application.java b/spring/spring-cloud-config-server-CVE-2019-3799/src/main/java/com/threedr3am/bug/spring/config/server/Application.java
similarity index 100%
rename from spring/spring-cloud-config-server(CVE-2019-3799)/src/main/java/com/threedr3am/bug/spring/config/server/Application.java
rename to spring/spring-cloud-config-server-CVE-2019-3799/src/main/java/com/threedr3am/bug/spring/config/server/Application.java
diff --git a/spring/spring-cloud-config-server(CVE-2019-3799)/src/main/java/com/threedr3am/bug/spring/config/server/package-info.java b/spring/spring-cloud-config-server-CVE-2019-3799/src/main/java/com/threedr3am/bug/spring/config/server/package-info.java
similarity index 100%
rename from spring/spring-cloud-config-server(CVE-2019-3799)/src/main/java/com/threedr3am/bug/spring/config/server/package-info.java
rename to spring/spring-cloud-config-server-CVE-2019-3799/src/main/java/com/threedr3am/bug/spring/config/server/package-info.java
diff --git a/spring/spring-cloud-config-server(CVE-2019-3799)/src/main/resources/application.yml b/spring/spring-cloud-config-server-CVE-2019-3799/src/main/resources/application.yml
similarity index 100%
rename from spring/spring-cloud-config-server(CVE-2019-3799)/src/main/resources/application.yml
rename to spring/spring-cloud-config-server-CVE-2019-3799/src/main/resources/application.yml
diff --git a/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml b/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml
index 856737a0..ef86677d 100644
--- a/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml
+++ b/spring/spring-cloud-config-server-CVE-2020-5405/pom.xml
@@ -6,6 +6,7 @@
org.springframework.boot
spring-boot-starter-parent
2.2.1.RELEASE
+
4.0.0
diff --git a/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml b/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml
index dc3f703d..dfb9ba14 100644
--- a/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml
+++ b/spring/spring-cloud-config-server-CVE-2020-5410/pom.xml
@@ -6,6 +6,7 @@
org.springframework.boot
spring-boot-starter-parent
2.2.2.RELEASE
+
4.0.0
spring-cloud-config-server-CVE-2020-5410
diff --git a/spring/spring-data-mongodb-spel-CVE-2022-22980/pom.xml b/spring/spring-data-mongodb-spel-CVE-2022-22980/pom.xml
index b8648693..16dcc7db 100644
--- a/spring/spring-data-mongodb-spel-CVE-2022-22980/pom.xml
+++ b/spring/spring-data-mongodb-spel-CVE-2022-22980/pom.xml
@@ -6,6 +6,7 @@
org.springframework.boot
spring-boot-starter-parent
2.6.8
+
4.0.0
diff --git a/spring/spring-uricomponentsbuilder-2/pom.xml b/spring/spring-uricomponentsbuilder-2/pom.xml
new file mode 100644
index 00000000..d7609148
--- /dev/null
+++ b/spring/spring-uricomponentsbuilder-2/pom.xml
@@ -0,0 +1,33 @@
+
+
+
+ org.springframework.boot
+ spring-boot-starter-parent
+ 2.7.18
+
+
+ 4.0.0
+
+ spring-uricomponentsbuilder-2
+
+
+ 8
+ 8
+
+
+
+
+ org.springframework.boot
+ spring-boot-starter-web
+
+
+
+ org.springframework
+ spring-web
+ 5.3.32
+
+
+
+
\ No newline at end of file
diff --git a/spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java b/spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java
new file mode 100644
index 00000000..a2bb9780
--- /dev/null
+++ b/spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/Main.java
@@ -0,0 +1,15 @@
+package com.threedr3am.bug.spring.uricomponentsbuilder;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+/**
+ * @author threedr3am
+ */
+@SpringBootApplication
+public class Main {
+
+ public static void main(String[] args) {
+ SpringApplication.run(Main.class, args);
+ }
+}
diff --git a/spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java b/spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java
new file mode 100644
index 00000000..413e0b9c
--- /dev/null
+++ b/spring/spring-uricomponentsbuilder-2/src/main/java/com/threedr3am/bug/spring/uricomponentsbuilder/controller/OAuthController.java
@@ -0,0 +1,74 @@
+package com.threedr3am.bug.spring.uricomponentsbuilder.controller;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.util.UriComponents;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * @author threedr3am
+ *
+ * CVE-2024-22259
+ *
+ * 使用UricomponentsBuilder解析外部提供的URL(例如通过查询参数)并对解析URL的主机执行验证检查的应用程序可能容易受到公开重定向攻击,
+ * 如果在通过验证检查后使用该URL,则可能容易受到SSRF攻击。
+ * 这与CVE-2024-22243相同,这是另一种输入不同的情况。
+ *
+ * ### 修复方案
+ * 1. 将 org.springframework:spring-web 升级至 6.1.5 及以上版本
+ * 2. 将 org.springframework:spring-web 升级至 6.0.18 及以上版本
+ * 3. 将 org.springframework:spring-web 升级至 5.3.33 及以上版本
+ *
+ * ### 参考链接
+ * https://spring.io/security/cve-2024-22259
+ * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22259
+ *
+ */
+@Controller
+@RequestMapping("/oauth")
+public class OAuthController {
+
+ private static final Set whiteDomains = new HashSet<>(Arrays.asList(new String[]{
+ ".fuckpdd.com"
+ }));
+
+ /**
+ * 一般绕过oauth的host校验,可以开放重定向到恶意站点劫持code
+ * 访问:http://127.0.0.1:8080/oauth?redirect_uri=http%3A%2F%2F%40www.fuckpdd.com%5B%40www.evil.com%2Ftou
+ *
+ *
+ * @param redirectUri [CVE-2024-22259] -> http://@www.fuckpdd.com[@www.evil.com/tou
+ * [CVE-2024-22243] -> http://www.fuckpdd.com[@www.evil.com/tou
+ * @return
+ */
+ @GetMapping
+ public String oauth(@RequestParam(name = "redirect_uri") String redirectUri, HttpServletResponse response) throws IOException {
+ UriComponents uriComponents = UriComponentsBuilder.fromUriString(redirectUri).build();
+ String schema = uriComponents.getScheme();
+ String host = uriComponents.getHost();
+ String path = uriComponents.getPath();
+
+ System.out.printf("schema:%s\n", schema);
+ System.out.printf("host:%s\n", host);
+ System.out.printf("path:%s\n", path);
+
+ boolean pass = false;
+ for (String whiteDomain : whiteDomains) {
+ if (host.endsWith(whiteDomain)) {
+ pass = true;
+ break;
+ }
+ }
+ if (!pass) return "error";
+
+ return "redirect:" + redirectUri;
+ }
+}
diff --git a/spring/spring-uricomponentsbuilder/pom.xml b/spring/spring-uricomponentsbuilder/pom.xml
index c5fb0b4c..53b8b853 100644
--- a/spring/spring-uricomponentsbuilder/pom.xml
+++ b/spring/spring-uricomponentsbuilder/pom.xml
@@ -5,7 +5,7 @@
org.springframework.boot
spring-boot-starter-parent
- 2.3.5.RELEASE
+ 2.7.18
4.0.0
@@ -22,6 +22,12 @@
org.springframework.boot
spring-boot-starter-web
+
+
+ org.springframework
+ spring-web
+ 5.3.31
+
\ No newline at end of file