public JsonObject urlconvertBase64Invoice(JsonObject paramJson) throws CustomRuntimeException {
JsonObject res = new JsonObject();
if (paramJson == null || !paramJson.has("paramJson")) {
throw new CustomRuntimeException("Invalid input: paramJson is missing or null");
}
String fileUrl = paramJson.getString("paramJson");
if (fileUrl == null || fileUrl.trim().isEmpty()) {
throw new CustomRuntimeException("Invalid input: fileUrl is empty or null");
}
// Use a whitelist approach for allowed domains
List<String> allowedDomains = Arrays.asList("XXXX.com");
try {
URL url = new URL(fileUrl);
String host = url.getHost();
if (!allowedDomains.contains(host)) {
throw new CustomRuntimeException(MultiLangContext.getInstance().getMessage("仅限域名作为参数使用,其余Host存在ssrf漏洞隐患")
+ " Unauthorized domain: " + host);
}
// Process the URL and populate 'res' object
// ... (Add your URL processing logic here)
return res;
} catch (MalformedURLException e) {
throw new CustomRuntimeException("Invalid URL format: " + fileUrl);
}
}
SSRF漏洞处理
于 2024-09-12 15:02:50 首次发布