mirror of
https://github.com/Frooodle/Stirling-PDF.git
synced 2026-02-17 13:52:14 +01:00
7d6b70871b
# Description of Changes This pull request introduces a new SSRF (Server-Side Request Forgery) protection mechanism for URL handling in the application. Key changes include adding a dedicated `SsrfProtectionService`, integrating SSRF-safe policies into HTML sanitization, and extending application settings to support configurable URL security options. ### SSRF Protection Implementation: * **`SsrfProtectionService`**: Added a new service to handle SSRF protection with configurable levels (`OFF`, `MEDIUM`, `MAX`) and checks for private networks, localhost, link-local addresses, and cloud metadata endpoints (`app/common/src/main/java/stirling/software/common/service/SsrfProtectionService.java`). ### Application Configuration Enhancements: * **`ApplicationProperties`**: Introduced a new `Html` configuration class with nested `UrlSecurity` settings, allowing fine-grained control over URL security, including allowed/blocked domains and internal TLDs (`app/common/src/main/java/stirling/software/common/model/ApplicationProperties.java`). [[1]](diffhunk://#diff-1c357db0a3e88cf5bedd4a5852415fadad83b8b3b9eb56e67059d8b9d8b10702R293) [[2]](diffhunk://#diff-1c357db0a3e88cf5bedd4a5852415fadad83b8b3b9eb56e67059d8b9d8b10702R346-R364) * **`settings.yml.template`**: Updated the configuration template to include the new `html.urlSecurity` settings, enabling users to customize SSRF protection behavior (`app/core/src/main/resources/settings.yml.template`). ### HTML Sanitization Updates: * **`CustomHtmlSanitizer`**: Integrated SSRF-safe URL validation into the HTML sanitizer by using the `SsrfProtectionService`. Added a custom policy for validating `img` tags' `src` attributes (`app/common/src/main/java/stirling/software/common/util/CustomHtmlSanitizer.java`). --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details. --------- Co-authored-by: a <a> Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| icc | ||
| static | ||
| templates | ||
| application.properties | ||
| banner.txt | ||
| certdata.txt | ||
| logback.xml | ||
| messages_ar_AR.properties | ||
| messages_az_AZ.properties | ||
| messages_bg_BG.properties | ||
| messages_bo_CN.properties | ||
| messages_ca_CA.properties | ||
| messages_cs_CZ.properties | ||
| messages_da_DK.properties | ||
| messages_de_DE.properties | ||
| messages_el_GR.properties | ||
| messages_en_GB.properties | ||
| messages_en_US.properties | ||
| messages_es_ES.properties | ||
| messages_eu_ES.properties | ||
| messages_fa_IR.properties | ||
| messages_fr_FR.properties | ||
| messages_ga_IE.properties | ||
| messages_hi_IN.properties | ||
| messages_hr_HR.properties | ||
| messages_hu_HU.properties | ||
| messages_id_ID.properties | ||
| messages_it_IT.properties | ||
| messages_ja_JP.properties | ||
| messages_ko_KR.properties | ||
| messages_ml_IN.properties | ||
| messages_nl_NL.properties | ||
| messages_no_NB.properties | ||
| messages_pl_PL.properties | ||
| messages_pt_BR.properties | ||
| messages_pt_PT.properties | ||
| messages_ro_RO.properties | ||
| messages_ru_RU.properties | ||
| messages_sk_SK.properties | ||
| messages_sl_SI.properties | ||
| messages_sr_LATN_RS.properties | ||
| messages_sv_SE.properties | ||
| messages_th_TH.properties | ||
| messages_tr_TR.properties | ||
| messages_uk_UA.properties | ||
| messages_vi_VN.properties | ||
| messages_zh_CN.properties | ||
| messages_zh_TW.properties | ||
| messages.properties | ||
| settings.yml.template | ||