mirror of
https://github.com/Frooodle/Stirling-PDF.git
synced 2025-01-19 00:07:17 +01:00
Security fix: Server-Side Request Forgery
https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-4v4c-9hpr-93vx
This commit is contained in:
parent
93e190fdeb
commit
67f983f00d
@ -88,15 +88,45 @@ public class GeneralUtils {
|
|||||||
|
|
||||||
public static boolean isURLReachable(String urlStr) {
|
public static boolean isURLReachable(String urlStr) {
|
||||||
try {
|
try {
|
||||||
|
// Parse the URL
|
||||||
URL url = URI.create(urlStr).toURL();
|
URL url = URI.create(urlStr).toURL();
|
||||||
|
|
||||||
|
// Allow only http and https protocols
|
||||||
|
String protocol = url.getProtocol();
|
||||||
|
if (!protocol.equals("http") && !protocol.equals("https")) {
|
||||||
|
return false; // Disallow other protocols
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check if the host is a local address
|
||||||
|
String host = url.getHost();
|
||||||
|
if (isLocalAddress(host)) {
|
||||||
|
return false; // Exclude local addresses
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check if the URL is reachable
|
||||||
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
|
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
|
||||||
connection.setRequestMethod("HEAD");
|
connection.setRequestMethod("HEAD");
|
||||||
|
connection.setConnectTimeout(5000); // Set connection timeout
|
||||||
|
connection.setReadTimeout(5000); // Set read timeout
|
||||||
int responseCode = connection.getResponseCode();
|
int responseCode = connection.getResponseCode();
|
||||||
return (200 <= responseCode && responseCode <= 399);
|
return (200 <= responseCode && responseCode <= 399);
|
||||||
} catch (MalformedURLException e) {
|
} catch (Exception e) {
|
||||||
return false;
|
return false; // Return false in case of any exception
|
||||||
} catch (IOException e) {
|
}
|
||||||
return false;
|
}
|
||||||
|
|
||||||
|
private static boolean isLocalAddress(String host) {
|
||||||
|
try {
|
||||||
|
// Resolve DNS to IP address
|
||||||
|
InetAddress address = InetAddress.getByName(host);
|
||||||
|
|
||||||
|
// Check for local addresses
|
||||||
|
return address.isAnyLocalAddress() || // Matches 0.0.0.0 or similar
|
||||||
|
address.isLoopbackAddress() || // Matches 127.0.0.1 or ::1
|
||||||
|
address.isSiteLocalAddress() || // Matches private IPv4 ranges: 192.168.x.x, 10.x.x.x, 172.16.x.x to 172.31.x.x
|
||||||
|
address.getHostAddress().startsWith("fe80:"); // Matches link-local IPv6 addresses
|
||||||
|
} catch (Exception e) {
|
||||||
|
return false; // Return false for invalid or unresolved addresses
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user