add xxe return back filecontent

JoyChou93 · JoyChou93 · commit 98212169c742 · 2019-11-02T11:01:53.000+08:00
diff --git a/src/main/java/org/joychou/controller/Cookies.java b/src/main/java/org/joychou/controller/Cookies.java
@@ -0,0 +1,81 @@
+package org.joychou.controller;
+
+import org.springframework.web.bind.annotation.CookieValue;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import org.joychou.util.WebUtils;
+import org.springframework.web.bind.annotation.RestController;
+import static org.springframework.web.util.WebUtils.getCookie;
+
+@RestController
+@RequestMapping("/cookie")
+public class Cookies {
+
+    private static String NICK = "nick";
+
+    @RequestMapping(value = "/vuln01")
+    private String vuln01(HttpServletRequest req) {
+        String nick = WebUtils.getCookieValueByName(req, NICK); // key code
+        return "Cookie nick: " + nick;
+    }
+
+
+    @RequestMapping(value = "/vuln02")
+    private String vuln02(HttpServletRequest req) {
+        String nick = null;
+        Cookie[] cookie = req.getCookies();
+
+        if (cookie != null) {
+            nick = getCookie(req, NICK).getValue();  // key code
+        }
+
+        return "Cookie nick: " + nick;
+    }
+
+
+    @RequestMapping(value = "/vuln03")
+    private String vuln03(HttpServletRequest req) {
+        String nick = null;
+        Cookie cookies[] = req.getCookies();
+        if (cookies != null) {
+            for (Cookie cookie : cookies) {
+                // key code. Equals can also be equalsIgnoreCase.
+                if (NICK.equals(cookie.getName())) {
+                    nick =  cookie.getValue();
+                }
+            }
+        }
+        return "Cookie nick: " + nick;
+    }
+
+
+    @RequestMapping(value = "/vuln04")
+    private String vuln04(HttpServletRequest req) {
+        String nick = null;
+        Cookie cookies[] = req.getCookies();
+        if (cookies != null) {
+            for (Cookie cookie : cookies) {
+                if (cookie.getName().equalsIgnoreCase(NICK)) {  // key code
+                    nick =  cookie.getValue();
+                }
+            }
+        }
+        return "Cookie nick: " + nick;
+    }
+
+
+
+    @RequestMapping(value = "/vuln05")
+    private String vuln05(@CookieValue("nick") String nick) {
+        return "Cookie nick: " + nick;
+    }
+
+
+    @RequestMapping(value = "/vuln06")
+    private String vuln06(@CookieValue(value = "nick") String nick) {
+        return "Cookie nick: " + nick;
+    }
+
+}
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java b/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java
@@ -4,7 +4,9 @@
 import org.springframework.web.bind.annotation.ControllerAdvice;
 import org.springframework.web.servlet.mvc.method.annotation.AbstractJsonpResponseBodyAdvice;
 
-
+// AbstractJsonpResponseBodyAdvice will be removed as of Spring Framework 5.1, use CORS instead.
+// Since Spring Framework 4.1
+// Springboot 2.1.0 RELEASE use spring framework 5.1.2
 @ControllerAdvice
 public class JSONPAdvice extends AbstractJsonpResponseBodyAdvice {
 
diff --git a/src/main/java/org/joychou/util/WebUtils.java b/src/main/java/org/joychou/util/WebUtils.java
@@ -1,5 +1,6 @@
 package org.joychou.util;
 
+import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
@@ -17,4 +18,9 @@ public static String convertStreamToString(java.io.InputStream is) {
         java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
         return s.hasNext() ? s.next() : "";
     }
+
+    public static String getCookieValueByName(HttpServletRequest request, String cookieName) {
+        Cookie cookie = org.springframework.web.util.WebUtils.getCookie(request, cookieName);
+        return cookie == null ? null : cookie.getValue();
+    }
 }
