add filter cors fix code

JoyChou93 · JoyChou93 · commit 6ae05278b383 · 2019-12-19T19:50:00.000+08:00
diff --git a/src/main/java/org/joychou/config/CorsConfig2.java b/src/main/java/org/joychou/config/CorsConfig2.java
@@ -7,6 +7,7 @@
 //import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 //import org.springframework.web.filter.CorsFilter;
 //
+//// https://spring.io/blog/2015/06/08/cors-support-in-spring-framework
 //@Configuration
 //public class CorsConfig2 {
 //
diff --git a/src/main/java/org/joychou/controller/Cors.java b/src/main/java/org/joychou/controller/Cors.java
@@ -18,7 +18,7 @@
 
 @RestController
 @RequestMapping("/cors")
-public class CORS {
+public class Cors {
 
     protected static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
     protected static String[] urlwhitelist = {"joychou.com", "joychou.me"};
@@ -46,42 +46,42 @@ private static String vuls3(HttpServletResponse response) {
     }
 
 
-    /**
-     * http://localhost:8080/cors/sec/webMvcConfigurer
-     * https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/webMvcConfigurer.java
-     */
+    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/webMvcConfigurer.java
     @RequestMapping("/sec/webMvcConfigurer")
     public CsrfToken getCsrfToken_01(CsrfToken token) {
         return token;
     }
 
 
-    /**
-     * https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java
-     */
+    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java
     @RequestMapping("/sec/httpCors")
     public CsrfToken getCsrfToken_02(CsrfToken token) {
         return token;
     }
 
 
-    /**
-     * https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/filter/SecCorsFilter.java
-     */
+    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/filter/SecCorsFilter.java
     @RequestMapping("/sec/corsFitler")
     public CsrfToken getCsrfToken_03(CsrfToken token) {
         return token;
     }
 
 
+    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/filter/CorsFilter.java
+    @RequestMapping("/sec/Filter")
+    public CsrfToken getCsrfToken_04(CsrfToken token) {
+        return token;
+    }
+
+
     // http://localhost:8080/cors/sec/checkOrigin
     @RequestMapping("/sec/checkOrigin")
     public String seccode(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("Origin");
 
         // 如果origin不为空并且origin不在白名单内，认定为不安全。
         // 如果origin为空，表示是同域过来的请求或者浏览器直接发起的请求。
-        if ( origin != null && !SecurityUtil.checkURLbyEndsWith(origin, urlwhitelist) ) {
+        if ( origin != null && SecurityUtil.checkURLbyEndsWith(origin, urlwhitelist) == null ) {
             return "Origin is not safe.";
         }
         response.setHeader("Access-Control-Allow-Origin", origin);
diff --git a/src/main/java/org/joychou/controller/URLRedirect.java b/src/main/java/org/joychou/controller/URLRedirect.java
@@ -82,7 +82,7 @@ public static void forward(HttpServletRequest request, HttpServletResponse respo
     public static void sendRedirect_seccode(HttpServletRequest request, HttpServletResponse response) throws IOException{
         String url = request.getParameter("url");
         String urlwhitelist[] = {"joychou.org", "joychou.com"};
-        if (!SecurityUtil.checkURLbyEndsWith(url, urlwhitelist)) {
+        if (SecurityUtil.checkURLbyEndsWith(url, urlwhitelist) == null) {
             // Redirect to error page.
             response.sendRedirect("https://test.joychou.org/error3.html");
             return;
diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java
@@ -62,7 +62,7 @@ private String referer(HttpServletRequest request) {
     private String emptyReferer(HttpServletRequest request) {
         String referer = request.getHeader("referer");
 
-        if (null != referer && !SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
+        if (null != referer && SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist) == null) {
             return "error";
         }
 
@@ -108,7 +108,7 @@ public ModelAndView mappingJackson2JsonView(HttpServletRequest req) {
     private String safecode(HttpServletRequest request) {
         String referer = request.getHeader("referer");
 
-        if (!SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
+        if (SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist) == null) {
             return "error";
         }
 
diff --git a/src/main/java/org/joychou/filter/HttpFilter.java b/src/main/java/org/joychou/filter/HttpFilter.java
@@ -1,4 +1,4 @@
-package org.joychou.security;
+package org.joychou.filter;
 
 
 import javax.servlet.*;
@@ -9,6 +9,7 @@
 
 import org.apache.commons.lang.StringUtils;
 import org.joychou.config.WebConfig;
+import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.util.AntPathMatcher;
@@ -30,7 +31,7 @@ public void init(FilterConfig filterConfig) throws ServletException {
 
     }
 
-    private final Logger logger= LoggerFactory.getLogger(HttpFilter.class);
+    private final Logger logger= LoggerFactory.getLogger(this.getClass());
 
     @Override
     public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain)
@@ -49,13 +50,15 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
             }
         }
 
+        // logger.info("[+] Referer: " + refer);
+
         if (isMatch) {
             if (WebConfig.getReferSecEnabled()) {
                 // Check referer for all GET requests with callback parameters.
                 for (String callback: WebConfig.getCallbacks()) {
                     if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter(callback)) ){
                         // If the check of referer fails, a 403 forbidden error page will be returned.
-                        if (!SecurityUtil.checkURLbyEndsWith(refer, WebConfig.getReferWhitelist())){
+                        if (SecurityUtil.checkURLbyEndsWith(refer, WebConfig.getReferWhitelist()) == null ){
                             logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t"
                                     + "Referer: " + refer);
                             response.sendRedirect("https://test.joychou.org/error3.html");
diff --git a/src/main/java/org/joychou/filter/OriginFilter.java b/src/main/java/org/joychou/filter/OriginFilter.java
@@ -0,0 +1,59 @@
+package org.joychou.filter;
+
+
+import javax.servlet.*;
+import javax.servlet.annotation.WebFilter;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import org.joychou.security.SecurityUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * 推荐使用该全局方案修复Cors跨域漏洞，因为可以校验一级域名。
+ * @author JoyChou @ 2019.12.19
+ *
+ */
+
+@WebFilter(filterName = "OriginFilter", urlPatterns = "/cors/sec/Filter")
+public class OriginFilter implements Filter {
+
+    private static String[] urlwhitelist = {"joychou.org", "joychou.me"};
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    private final Logger logger= LoggerFactory.getLogger(this.getClass());
+
+    @Override
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain)
+            throws IOException, ServletException {
+
+        HttpServletRequest request = (HttpServletRequest)req;
+        HttpServletResponse response = (HttpServletResponse)res;
+
+        String origin = request.getHeader("Origin");
+        logger.info("[+] Origin: " + origin + "\tCurrent url:" + request.getRequestURL());
+
+        // 以file协议访问html，origin为字符串的null，所以依然会走安全check逻辑
+        if ( origin != null && SecurityUtil.checkURLbyEndsWith(origin, urlwhitelist) == null) {
+            logger.error("[-] Origin check error.");
+            return;
+        }
+
+        response.setHeader("Access-Control-Allow-Origin", origin);
+        response.setHeader("Access-Control-Allow-Credentials", "true");
+        response.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTION");
+
+        filterChain.doFilter(req, res);
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+}
diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java
@@ -18,29 +18,29 @@ public class SecurityUtil {
      *
      * @param url 需要check的url
      * @param urlwhitelist url白名单list
-     * @return 安全url返回true，危险url返回false
+     * @return 安全url返回url，危险url返回null
      */
-    public static Boolean checkURLbyEndsWith(String url, String[] urlwhitelist) {
+    public static String checkURLbyEndsWith(String url, String[] urlwhitelist) {
         if (null == url) {
-            return false;
+            return null;
         }
         try {
             URI uri = new URI(url);
 
             if (!url.startsWith("http://") && !url.startsWith("https://")) {
-                return false;
+                return null;
             }
 
             String host = uri.getHost().toLowerCase();
             for (String whitelist: urlwhitelist){
                 if (host.endsWith("." + whitelist)) {
-                    return true;
+                    return url;
                 }
             }
 
-            return false;
+            return null;
         } catch (Exception e) {
-            return false;
+            return null;
         }
     }
 
@@ -75,9 +75,9 @@ public static boolean checkSSRFWithoutRedirect(String url) {
      *
      * @param url The url that needs to check.
      * @param hostWlist host whitelist
-     * @return Safe url returns true. Dangerous url returns false.
+     * @return Safe url returns url. Dangerous url returns null.
      */
-    public static boolean checkSSRFByHostWlist(String url, String[] hostWlist) {
+    public static String checkSSRFByHostWlist(String url, String[] hostWlist) {
         return checkURLbyEndsWith(url, hostWlist);
     }
 
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
@@ -10,6 +10,7 @@
     <p>
         <a th:href="@{/codeinject?filepath=/tmp;cat /etc/passwd}">CmdInject</a>&nbsp;&nbsp;
         <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
+        <a th:href="@{cors/sec/Filter}">Cors</a>&nbsp;&nbsp;
         <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
         <a th:href="@{/sqli/jdbc/vul?username=joychou}">SqlInject</a>&nbsp;&nbsp;
         <a th:href="@{/ssrf/urlConnection?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ private String referer(HttpServletRequest request) {`
`62`	`62`	`private String emptyReferer(HttpServletRequest request) {`
`63`	`63`	`String referer = request.getHeader("referer");`
`64`	`64`
`65`		`- if (null != referer && !SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {`
	`65`	`+ if (null != referer && SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist) == null) {`
`66`	`66`	`return "error";`
`67`	`67`	`}`
`68`	`68`
`@@ -108,7 +108,7 @@ public ModelAndView mappingJackson2JsonView(HttpServletRequest req) {`
`108`	`108`	`private String safecode(HttpServletRequest request) {`
`109`	`109`	`String referer = request.getHeader("referer");`
`110`	`110`
`111`		`- if (!SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {`
	`111`	`+ if (SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist) == null) {`
`112`	`112`	`return "error";`
`113`	`113`	`}`
`114`	`114`
Original file line number	Diff line number	Diff line change
`@@ -18,29 +18,29 @@ public class SecurityUtil {`
`18`	`18`	`*`
`19`	`19`	`* @param url 需要check的url`
`20`	`20`	`* @param urlwhitelist url白名单list`
`21`		`- * @return 安全url返回true，危险url返回false`
	`21`	`+ * @return 安全url返回url，危险url返回null`
`22`	`22`	`*/`
`23`		`- public static Boolean checkURLbyEndsWith(String url, String[] urlwhitelist) {`
	`23`	`+ public static String checkURLbyEndsWith(String url, String[] urlwhitelist) {`
`24`	`24`	`if (null == url) {`
`25`		`- return false;`
	`25`	`+ return null;`
`26`	`26`	`}`
`27`	`27`	`try {`
`28`	`28`	`URI uri = new URI(url);`
`29`	`29`
`30`	`30`	`if (!url.startsWith("http://") && !url.startsWith("https://")) {`
`31`		`- return false;`
	`31`	`+ return null;`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`String host = uri.getHost().toLowerCase();`
`35`	`35`	`for (String whitelist: urlwhitelist){`
`36`	`36`	`if (host.endsWith("." + whitelist)) {`
`37`		`- return true;`
	`37`	`+ return url;`
`38`	`38`	`}`
`39`	`39`	`}`
`40`	`40`
`41`		`- return false;`
	`41`	`+ return null;`
`42`	`42`	`} catch (Exception e) {`
`43`		`- return false;`
	`43`	`+ return null;`
`44`	`44`	`}`
`45`	`45`	`}`
`46`	`46`
`@@ -75,9 +75,9 @@ public static boolean checkSSRFWithoutRedirect(String url) {`
`75`	`75`	`*`
`76`	`76`	`* @param url The url that needs to check.`
`77`	`77`	`* @param hostWlist host whitelist`
`78`		`- * @return Safe url returns true. Dangerous url returns false.`
	`78`	`+ * @return Safe url returns url. Dangerous url returns null.`
`79`	`79`	`*/`
`80`		`- public static boolean checkSSRFByHostWlist(String url, String[] hostWlist) {`
	`80`	`+ public static String checkSSRFByHostWlist(String url, String[] hostWlist) {`
`81`	`81`	`return checkURLbyEndsWith(url, hostWlist);`
`82`	`82`	`}`
`83`	`83`