SSRF漏洞处理

Decadent丶沉沦

已于 2024-09-12 15:03:53 修改

阅读量80

点赞数 2

分类专栏：安全文章标签：安全 java

于 2024-09-12 15:02:50 首次发布

本文链接：https://blog.csdn.net/Decembetion/article/details/142176323

版权

安全专栏收录该内容

2 篇文章 0 订阅

订阅专栏

public JsonObject urlconvertBase64Invoice(JsonObject paramJson) throws CustomRuntimeException {
    JsonObject res = new JsonObject();
    
    if (paramJson == null || !paramJson.has("paramJson")) {
        throw new CustomRuntimeException("Invalid input: paramJson is missing or null");
    }
    
    String fileUrl = paramJson.getString("paramJson");
    
    if (fileUrl == null || fileUrl.trim().isEmpty()) {
        throw new CustomRuntimeException("Invalid input: fileUrl is empty or null");
    }
    
    // Use a whitelist approach for allowed domains
    List<String> allowedDomains = Arrays.asList("XXXX.com");
    
    try {
        URL url = new URL(fileUrl);
        String host = url.getHost();
        
        if (!allowedDomains.contains(host)) {
            throw new CustomRuntimeException(MultiLangContext.getInstance().getMessage("仅限域名作为参数使用，其余Host存在ssrf漏洞隐患") 
                + " Unauthorized domain: " + host);
        }
        
        // Process the URL and populate 'res' object
        // ... (Add your URL processing logic here)
        
        return res;
    } catch (MalformedURLException e) {
        throw new CustomRuntimeException("Invalid URL format: " + fileUrl);
    }
}