add json to jsonp

Author: JoyChou93

src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java

@@ -1,12 +1,15 @@
 package org.joychou.controller.jsonp;
 
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.ControllerAdvice;
 import org.springframework.web.servlet.mvc.method.annotation.AbstractJsonpResponseBodyAdvice;
 
+
 @ControllerAdvice
 public class JSONPAdvice extends AbstractJsonpResponseBodyAdvice {
 
-    public JSONPAdvice() {
-        super("callback", "cback");  // Can set multiple paramNames
+    // method of using @Value in constructor
+    public JSONPAdvice(@Value("${joychou.security.jsonp.callback}") String[] callback) {
+        super(callback);  // Can set multiple paramNames
     }
 }

src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java

@@ -1,6 +1,8 @@
 package org.joychou.security;
 
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.http.MediaType;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.web.access.AccessDeniedHandler;
@@ -17,9 +19,13 @@
  */
 public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
 
+    private final Logger logger= LoggerFactory.getLogger(CsrfAccessDeniedHandler.class);
+
     @Override
     public void handle(HttpServletRequest request, HttpServletResponse response,
                        AccessDeniedException accessDeniedException) throws IOException, ServletException {
+
+        logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" + "Referer: " + request.getHeader("referer"));
         response.setContentType(MediaType.TEXT_HTML_VALUE); // content-type: text/html
         response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403 forbidden
         response.getWriter().write("CSRF check failed by JoyChou.");  // response contents

src/main/java/org/joychou/security/HttpFilter.java

@@ -0,0 +1,89 @@
+package org.joychou.security;
+
+
+import javax.servlet.*;
+import javax.servlet.annotation.WebFilter;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import org.apache.commons.lang.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.util.PathMatcher;
+
+
+/**
+ * Check referer for all GET requests with callback parameters.
+ * If the check of referer fails, a 403 forbidden error page will be returned.
+ *
+ * Still need to add @ServletComponentScan annotation in Application.java.
+ *
+ */
+@WebFilter(filterName = "referFilter", urlPatterns = "/*")
+public class HttpFilter implements Filter {
+
+    @Value("${joychou.security.referer.enabled}")
+    private Boolean referSecEnabled = false;
+
+    @Value("${joychou.security.jsonp.callback}")
+    private String[] callbacks;
+
+    @Value("${joychou.security.referer.hostwhitelist}")
+    private String[] referWhitelist;
+
+    @Value("${joychou.security.referer.uri}")
+    private String[] referUris;
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    private final Logger logger= LoggerFactory.getLogger(HttpFilter.class);
+
+    @Override
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain)
+            throws IOException, ServletException {
+
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
+
+        String refer = request.getHeader("referer");
+        PathMatcher matcher = new AntPathMatcher();
+        boolean isMatch = false;
+        for (String uri: referUris) {
+            if ( matcher.match (uri, request.getRequestURI()) ) {
+                isMatch = true;
+                break;
+            }
+        }
+
+        if (isMatch) {
+            if (referSecEnabled) {
+                // Check referer for all GET requests with callback parameters.
+                for (String callback: callbacks) {
+                    if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter(callback)) ){
+                        // If the check of referer fails, a 403 forbidden error page will be returned.
+                        if (!SecurityUtil.checkURLbyEndsWith(refer, referWhitelist)){
+                            logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" + "Referer: " + refer);
+                            response.sendRedirect("https://test.joychou.org/error3.html");
+                            return;
+                        }
+                    }
+                }
+            }
+        }
+
+
+
+        filterChain.doFilter(req, res);
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+}

src/main/java/org/joychou/security/SecurityUtil.java

@@ -55,11 +55,23 @@ public static Boolean checkSSRF(String url) {
     /**
      * Suitable for: TTL isn't set to 0 & Redirect is forbidden.
      *
-     * @param url the url needs to check
+     * @param url The url that needs to check.
      * @return Safe url returns true. Dangerous url returns false.
      */
     public static boolean checkSSRFWithoutRedirect(String url) {
         return !SSRFChecker.isInnerIPByUrl(url);
     }
 
+    /**
+     * Check SSRF by host white list.
+     * This is the simplest and most effective method to fix ssrf vul.
+     *
+     * @param url The url that needs to check.
+     * @param hostWlist host whitelist
+     * @return Safe url returns true. Dangerous url returns false.
+     */
+    public static boolean checkSSRFByHostWlist(String url, String[] hostWlist) {
+        return checkURLbyEndsWith(url, hostWlist);
+    }
+
 }

src/main/java/org/joychou/security/WebSecurityConfig.java

@@ -20,22 +20,27 @@
 @Configuration
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
-    @Value("${org.joychou.security.csrf}")
-    private Boolean csrfSwitch;  // get csrf switch in application.properties
+    @Value("${joychou.security.csrf.enabled}")
+    private Boolean csrfEnabled = false;
 
-    RequestMatcher csrfRequestMatcher = new RequestMatcher() {
+    @Value("${joychou.security.csrf.exclude.url}")
+    private String[] csrfExcludeUrl;
+
+    @Value("${joychou.security.csrf.method}")
+    private String[] csrfMethod = {"POST"};
 
-        // 配置不需要CSRF校验的请求方式
-        private final HashSet<String> allowedMethods = new HashSet<String>(
-                Arrays.asList("GET", "HEAD", "TRACE", "OPTIONS"));
+    RequestMatcher csrfRequestMatcher = new RequestMatcher() {
 
         @Override
         public boolean matches(HttpServletRequest request) {
+
+            // 配置需要CSRF校验的请求方式，
+            HashSet<String> allowedMethods = new HashSet<String>(Arrays.asList(csrfMethod));
             // return false表示不校验csrf
-            if (!csrfSwitch) {
+            if (!csrfEnabled) {
                 return false;
             }
-            return !this.allowedMethods.contains(request.getMethod());
+            return allowedMethods.contains(request.getMethod());
         }
 
     };
@@ -47,7 +52,7 @@ protected void configure(HttpSecurity http) throws Exception {
         // 但存在后端多台服务器情况，session不能同步的问题，所以一般使用cookie模式。
         http.csrf()
                 .requireCsrfProtectionMatcher(csrfRequestMatcher)
-                .ignoringAntMatchers("/xxe/**", "/fastjon/**")  // 不进行csrf校验的uri，多个uri使用逗号分隔
+                .ignoringAntMatchers(csrfExcludeUrl)  // 不进行csrf校验的uri，多个uri使用逗号分隔
                 .csrfTokenRepository(new CookieCsrfTokenRepository());
         // 自定义csrf校验失败的代码，默认是返回403错误页面
         http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler());

src/main/java/org/joychou/security/jsonpFilter.java

@@ -3,6 +3,27 @@
 management.security.enabled=false
 # logging.config=classpath:logback-online.xml
 
-# jsonp check referer switch
-org.joychou.security.jsonp = false
-org.joychou.security.csrf = false
+
+
+### check referer configuration begins ###
+joychou.security.referer.enabled = true
+joychou.security.referer.hostwhitelist = joychou.org, joychou.com
+# Only support ant url style.
+joychou.security.referer.uri = /jsonp/**
+### check referer configuration ends ###
+
+
+### csrf configuration begins ###
+# csrf token check
+joychou.security.csrf.enabled = true
+# URI without CSRF check (only support ANT url format)
+joychou.security.csrf.exclude.url = /xxe/**, /fastjon/**
+# method for CSRF check
+joychou.security.csrf.method = POST
+### csrf configuration ends ###
+
+
+### jsonp configuration begins ###  # auto convert json to jsonp
+# callback parameters name
+joychou.security.jsonp.callback = callback, _callback
+### jsonp configuration ends ###