fix #13

Author: JoyChou93

src/main/java/org/joychou/config/SafeDomainConfig.java

@@ -7,14 +7,14 @@
 
 
 /**
- * 为了不要每次调用都解析safedomain的xml，所以将解析动作放在bean里。
+ * 为了不要每次调用都解析safedomain的xml，所以将解析动作放在Bean里。
  */
 @Configuration
 public class SafeDomainConfig {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(SafeDomainConfig.class);
 
-    @Bean
+    @Bean // @Bean代表将safeDomainParserf方法返回的对象装配到SpringIOC容器中
     public SafeDomainParser safeDomainParser() {
         try {
             LOGGER.info("SafeDomainParser bean inject successfully!!!");
@@ -26,3 +26,4 @@ public SafeDomainParser safeDomainParser() {
     }
 
 }
+

src/main/java/org/joychou/config/SafeDomainParser.java

@@ -18,10 +18,13 @@ public class SafeDomainParser {
 
     public SafeDomainParser(){
 
-        String safeTag = "safedomain";
-        String domainSafeTag = "domain";
-        String safeDomainClassPath = "url" + File.separator + "safe_domain.xml";
+        String rootTag = "domains";
+        String safeDomainTag = "safedomains";
+        String blockDomainTag = "blockdomains";
+        String finalTag = "domain";
+        String safeDomainClassPath = "url" + File.separator + "url_safe_domain.xml";
         ArrayList<String> safeDomains = new ArrayList<>();
+        ArrayList<String> blockDomains = new ArrayList<>();
 
         try {
             // 读取resources目录下的文件
@@ -32,23 +35,104 @@ public SafeDomainParser(){
             DocumentBuilder db = dbf.newDocumentBuilder();
             Document doc = db.parse(file);  // parse xml
 
-            NodeList rootNode = doc.getElementsByTagName(safeTag);
+            NodeList rootNode = doc.getElementsByTagName(rootTag);  // 解析根节点domains
             Node domainsNode = rootNode.item(0);
             NodeList child = domainsNode.getChildNodes();
 
             for (int i = 0; i < child.getLength(); i++){
                 Node node = child.item(i);
-                if (node.getNodeName().equals(domainSafeTag)) {
-                    safeDomains.add(node.getTextContent());
+                // 解析safeDomains节点
+                if (node.getNodeName().equals(safeDomainTag)) {
+                    NodeList tagChild = node.getChildNodes();
+                    for (int j = 0; j < tagChild.getLength(); j++) {
+                        Node finalTagNode = tagChild.item(j);
+                        // 解析safeDomains节点里的domain节点
+                        if (finalTagNode.getNodeName().equals(finalTag)) {
+                            safeDomains.add(finalTagNode.getTextContent());
+                        }
+                    }
+                }else if (node.getNodeName().equals(blockDomainTag)) {
+                    NodeList finalTagNode = node.getChildNodes();
+                    for (int j = 0; j < finalTagNode.getLength(); j++) {
+                        Node tagNode = finalTagNode.item(j);
+                        // 解析blockDomains节点里的domain节点
+                        if (tagNode.getNodeName().equals(finalTag)) {
+                            blockDomains.add(tagNode.getTextContent());
+                        }
+                    }
                 }
             }
-
         }catch (Exception e){
             logger.error(e.toString());
         }
 
         WebConfig wc = new WebConfig();
         wc.setSafeDomains(safeDomains);
+        wc.setBlockDomains(blockDomains);
+
+        // 解析SSRF配置
+        String ssrfRootTag = "ssrfsafeconfig";
+        String ssrfSafeDomainTag = "safedomains";
+        String ssrfBlockDomainTag = "blockdomains";
+        String ssrfBlockIpsTag = "blockips";
+        String ssrfFinalTag = "domain";
+        String ssrfIpFinalTag = "ip";
+        String ssrfSafeDomainClassPath = "url" + File.separator + "ssrf_safe_domain.xml";
+
+        ArrayList<String> ssrfSafeDomains = new ArrayList<>();
+        ArrayList<String> ssrfBlockDomains = new ArrayList<>();
+        ArrayList<String> ssrfBlockIps = new ArrayList<>();
+
+        try {
+            // 读取resources目录下的文件
+            ClassPathResource resource = new ClassPathResource(ssrfSafeDomainClassPath);
+            File file = resource.getFile();
+
+            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            DocumentBuilder db = dbf.newDocumentBuilder();
+            Document doc = db.parse(file);  // parse xml
+
+            NodeList rootNode = doc.getElementsByTagName(ssrfRootTag);  // 解析根节点
+            Node domainsNode = rootNode.item(0);
+            NodeList child = domainsNode.getChildNodes();
+
+            for (int i = 0; i < child.getLength(); i++){
+                Node node = child.item(i);
+                // 解析safeDomains节点
+                if (node.getNodeName().equals(ssrfSafeDomainTag)) {
+                    NodeList tagChild = node.getChildNodes();
+                    for (int j = 0; j < tagChild.getLength(); j++) {
+                        Node tagFinalNode = tagChild.item(j);
+                        if (tagFinalNode.getNodeName().equals(ssrfFinalTag)) {
+                            ssrfSafeDomains.add(tagFinalNode.getTextContent());
+                        }
+                    }
+                }else if (node.getNodeName().equals(ssrfBlockDomainTag)) {
+                    NodeList tagChild = node.getChildNodes();
+                    for (int j = 0; j < tagChild.getLength(); j++) {
+                        Node tagFinalNode = tagChild.item(j);
+                        if (tagFinalNode.getNodeName().equals(ssrfFinalTag)) {
+                            ssrfBlockDomains.add(tagFinalNode.getTextContent());
+                        }
+                    }
+                }else if(node.getNodeName().equals(ssrfBlockIpsTag)){
+                    NodeList tagChild = node.getChildNodes();
+                    for (int j = 0; j < tagChild.getLength(); j++) {
+                        Node tagFinalNode = tagChild.item(j);
+                        // 解析 blockIps 节点里的 ip 节点
+                        if (tagFinalNode.getNodeName().equals(ssrfIpFinalTag)) {
+                            ssrfBlockIps.add(tagFinalNode.getTextContent());
+                        }
+                    }
+                }
+            }
+        }catch (Exception e){
+            logger.error(e.toString());
+        }
+
+        wc.setSsrfBlockDomains(ssrfBlockDomains);
+        wc.setSsrfBlockIps(ssrfBlockIps);
+        wc.setSsrfSafeDomains(ssrfSafeDomains);
     }
 }
 

src/main/java/org/joychou/config/WebConfig.java

@@ -11,7 +11,7 @@
  *
  * @author JoyChou @2019-07-24
  */
-@Component
+@Component // 注解@Component表明WebConfig类将被SpringIoC容器扫描装配，并且Bean名称为webConfig
 public class WebConfig {
 
     private static String[] callbacks;
@@ -22,7 +22,10 @@ public class WebConfig {
     private static Boolean referSecEnabled = false;
     private static String businessCallback;
     private static ArrayList<String> safeDomains= new ArrayList<>();
-
+    private static ArrayList<String> blockDomains= new ArrayList<>();
+    private static ArrayList<String> ssrfSafeDomains = new ArrayList<>();
+    private static ArrayList<String> ssrfBlockDomains= new ArrayList<>();
+    private static ArrayList<String> ssrfBlockIps = new ArrayList<>();
     /**
      * application.properties里object自动转jsonp的referer校验开关
      * @param jsonpReferCheckEnabled jsonp校验开关
@@ -45,19 +48,6 @@ public static String[] getJsonpCallbacks(){
     }
 
 
-    /**
-     * application.properties里object自动转jsonp的referer白名单域名
-     * @param jsonpRefererHost 白名单域名，仅支持一级域名
-     */
-    @Value("${joychou.security.jsonp.referer.host}")
-    public void setJsonpReferWhitelist(String[] jsonpRefererHost){
-        WebConfig.jsonpRefererHost = jsonpRefererHost;
-    }
-    public static String[] getJsonpReferWhitelist(){
-        return jsonpRefererHost;
-    }
-
-
     @Value("${joychou.security.referer.enabled}")
     public void setReferSecEnabled(Boolean referSecEnabled){
         WebConfig.referSecEnabled = referSecEnabled;
@@ -95,10 +85,42 @@ public static String getBusinessCallback(){
     }
 
 
-    public void setSafeDomains(ArrayList<String> safeDomains){
+    void setSafeDomains(ArrayList<String> safeDomains){
         WebConfig.safeDomains = safeDomains;
     }
     public static ArrayList<String> getSafeDomains(){
         return safeDomains;
     }
+
+
+    void setBlockDomains(ArrayList<String> blockDomains){
+        WebConfig.blockDomains = blockDomains;
+    }
+    public static ArrayList<String> getBlockDomains(){
+        return blockDomains;
+    }
+
+
+    void setSsrfSafeDomains(ArrayList<String> ssrfSafeDomains){
+        WebConfig.ssrfSafeDomains = ssrfSafeDomains;
+    }
+    public static ArrayList<String> getSsrfSafeDomains(){
+        return ssrfSafeDomains;
+    }
+
+
+    void setSsrfBlockDomains(ArrayList<String> ssrfBlockDomains){
+        WebConfig.ssrfBlockDomains = ssrfBlockDomains;
+    }
+    public static ArrayList<String> getSsrfBlockDomainsDomains(){
+        return ssrfBlockDomains;
+    }
+
+
+    void setSsrfBlockIps(ArrayList<String> ssrfBlockIps){
+        WebConfig.ssrfBlockIps = ssrfBlockIps;
+    }
+    public static ArrayList<String> getSsrfBlockIps(){
+        return ssrfBlockIps;
+    }
 }

src/main/java/org/joychou/controller/GetRequestURI.java

@@ -0,0 +1,50 @@
+package org.joychou.controller;
+
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.util.PathMatcher;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * The difference between getRequestURI and getServletPath.
+ * 由于Spring Security的<code>antMatchers("/css/**", "/js/**")</code>未使用getRequestURI，所以登录不会被绕过。
+ *
+ * Details: https://joychou.org/web/security-of-getRequestURI.html
+ *
+ * Poc:
+ *   http://localhost:8080/css/%2e%2e/exclued/vuln
+ *   http://localhost:8080/css/..;/exclued/vuln
+ *   http://localhost:8080/css/..;bypasswaf/exclued/vuln
+ *
+ * @author JoyChou @2020-03-28
+ */
+
+@RestController
+@RequestMapping("uri")
+public class GetRequestURI {
+
+    private final Logger logger= LoggerFactory.getLogger(this.getClass());
+
+    @RequestMapping(value = "/exclued/vuln")
+    public String exclued(HttpServletRequest request) {
+
+        String[] excluedPath = {"/css/**", "/js/**"};
+        String uri = request.getRequestURI(); // Security: request.getServletPath()
+        PathMatcher matcher = new AntPathMatcher();
+
+        logger.info("getRequestURI: " + uri);
+        logger.info("getServletPath: " + request.getServletPath());
+
+        for (String path: excluedPath) {
+            if ( matcher.match (path, uri) ) {
+                 return "You have bypassed the login page.";
+            }
+        }
+        return "This is a login page >..<";
+    }
+}

src/main/java/org/joychou/controller/SSRF.java

@@ -197,7 +197,7 @@ public static String ssrf_HttpClient(@RequestParam String url) {
     @RequestMapping("/commonsHttpClient/sec")
     @ResponseBody
     public static String commonsHttpClient(@RequestParam String url) {
-        if (!SecurityUtil.checkSSRFWithoutRedirect(url)) {
+        if (!SecurityUtil.checkSSRFByWhitehosts(url)) {
             return "Bad man. I got u.";
         }
 
@@ -285,7 +285,7 @@ public static String IOUtils(@RequestParam String url) {
     public static String ImageIOSec(@RequestParam String url) {
         try {
             URL u = new URL(url);
-            if (!SecurityUtil.checkSSRF(url)) {
+            if (!SecurityUtil.checkSSRFWithoutRedirect(url)) {
                 logger.error("[-] SSRF check failed. Original Url: "+ url);
                 return "SSRF check failed.";
             }