cccfeng · cccfeng · Mar 16, 2025 · May 7, 2025 · coderabbitai · Mar 16, 2025
diff --git a/CSRF.java b/CSRF.java
@@ -0,0 +1,29 @@
+package org.joychou.controller;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+/**
+ * check csrf using spring-security
+ * Access http://localhost:8080/csrf/ -> click submit
+ *
+ * @author JoyChou (joychou@joychou.org) @2019-05-31
+ */
+@Controller
+@RequestMapping("/csrf")
+public class CSRF {
+
+    @GetMapping("/")
+    public String index() {
+        return "form";
+    }
+
+    @PostMapping("/post")
+    @ResponseBody
+    public String post() {
+        return "CSRF passed.";
+    }
+}
diff --git a/src/main/java/org/joychou/controller/URLRedirect2.java b/src/main/java/org/joychou/controller/URLRedirect2.java
@@ -0,0 +1,93 @@
+package org.joychou.controller;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.RequestDispatcher;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import org.joychou.security.SecurityUtil;
+
+/**
+ * The vulnerability code and security code of Java url redirect.
+ * The security code is checking whitelist of url redirect.
+ *
+ * @author JoyChou (joychou@joychou.org)
+ * @version 2017.12.28
+ */
+
+@Controller
+@RequestMapping("/urlRedirect")
+public class URLRedirect {
+
+    /**
+     * http://localhost:8080/urlRedirect/redirect?url=http://www.baidu.com
+     */
+    @GetMapping("/redirect")
+    public String redirect(@RequestParam("url") String url) {
+        return "redirect:" + url;
+    }
-    /**
-     * http://localhost:8080/urlRedirect/redirect?url=http://www.baidu.com
-     */
-    @GetMapping("/redirect")
-    public String redirect(@RequestParam("url") String url) {
-        return "redirect:" + url;
-    }
+    /**
+     * http://localhost:8080/urlRedirect/redirect?url=http://www.baidu.com
+     */
+    @GetMapping("/redirect")
+    public String redirect(@RequestParam("url") String url) {
+        if (SecurityUtil.checkURL(url) == null) {
+            return "redirect:/error";
+        }
+        return "redirect:" + url;
+    }
-    /**
-     * http://localhost:8080/urlRedirect/redirect?url=http://www.baidu.com
-     */
-    @GetMapping("/redirect")
-    public String redirect(@RequestParam("url") String url) {
-        return "redirect:" + url;
-    }
+    /**
+     * http://localhost:8080/urlRedirect/redirect?url=http://www.baidu.com
+     */
+    @GetMapping("/redirect")
+    public String redirect(@RequestParam("url") String url) {
+        if (SecurityUtil.checkURL(url) == null) {
+            return "redirect:/error";
+        }
+        return "redirect:" + url;
+    }
+
+
+    /**
+     * http://localhost:8080/urlRedirect/setHeader?url=http://www.baidu.com
+     */
+    @RequestMapping("/setHeader")
+    @ResponseBody
+    public static void setHeader(HttpServletRequest request, HttpServletResponse response) {
+        String url = request.getParameter("url");
+        response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); // 301 redirect
+        response.setHeader("Location", url);
+    }
-    @RequestMapping("/setHeader")
-    @ResponseBody
-    public static void setHeader(HttpServletRequest request, HttpServletResponse response) {
-        String url = request.getParameter("url");
-        response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); // 301 redirect
-        response.setHeader("Location", url);
-    }
+    @RequestMapping("/setHeader")
+    @ResponseBody
+    public void setHeader(HttpServletRequest request, HttpServletResponse response) {
+        String url = request.getParameter("url");
+        if (SecurityUtil.checkURL(url) == null) {
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+            try {
+                response.getWriter().write("url forbidden");
+            } catch (IOException e) {
+                // 处理异常
+            }
+            return;
+        }
+        response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); // 301 redirect
+        response.setHeader("Location", url);
+    }
-    @RequestMapping("/setHeader")
-    @ResponseBody
-    public static void setHeader(HttpServletRequest request, HttpServletResponse response) {
-        String url = request.getParameter("url");
-        response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); // 301 redirect
-        response.setHeader("Location", url);
-    }
+    @RequestMapping("/setHeader")
+    @ResponseBody
+    public void setHeader(HttpServletRequest request, HttpServletResponse response) {
+        String url = request.getParameter("url");
+        if (SecurityUtil.checkURL(url) == null) {
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+            try {
+                response.getWriter().write("url forbidden");
+            } catch (IOException e) {
+                // 处理异常
+            }
+            return;
+        }
+        response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); // 301 redirect
+        response.setHeader("Location", url);
+    }
+
+
+    /**
+     * http://localhost:8080/urlRedirect/sendRedirect?url=http://www.baidu.com
+     */
+    @RequestMapping("/sendRedirect")
+    @ResponseBody
+    public static void sendRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        String url = request.getParameter("url");
+        response.sendRedirect(url); // 302 redirect
+    }
-    @RequestMapping("/sendRedirect")
-    @ResponseBody
-    public static void sendRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException {
-        String url = request.getParameter("url");
-        response.sendRedirect(url); // 302 redirect
-    }
+    @RequestMapping("/sendRedirect")
+    @ResponseBody
+    public void sendRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        String url = request.getParameter("url");
+        if (SecurityUtil.checkURL(url) == null) {
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+            response.getWriter().write("url forbidden");
+            return;
+        }
+        response.sendRedirect(url); // 302 redirect
+    }
-    @RequestMapping("/sendRedirect")
-    @ResponseBody
-    public static void sendRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException {
-        String url = request.getParameter("url");
-        response.sendRedirect(url); // 302 redirect
-    }
+    @RequestMapping("/sendRedirect")
+    @ResponseBody
+    public void sendRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        String url = request.getParameter("url");
+        if (SecurityUtil.checkURL(url) == null) {
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+            response.getWriter().write("url forbidden");
+            return;
+        }
+        response.sendRedirect(url); // 302 redirect
+    }
+
+
+    /**
+     * Safe code. Because it can only jump according to the path, it cannot jump according to other urls.
+     * http://localhost:8080/urlRedirect/forward?url=/urlRedirect/test
+     */
+    @RequestMapping("/forward")
+    @ResponseBody
+    public static void forward(HttpServletRequest request, HttpServletResponse response) {
+        String url = request.getParameter("url");
+        RequestDispatcher rd = request.getRequestDispatcher(url);
+        try {
+            rd.forward(request, response);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
-    @RequestMapping("/forward")
-    @ResponseBody
-    public static void forward(HttpServletRequest request, HttpServletResponse response) {
-        String url = request.getParameter("url");
-        RequestDispatcher rd = request.getRequestDispatcher(url);
-        try {
-            rd.forward(request, response);
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-    }
+    @RequestMapping("/forward")
+    @ResponseBody
+    public void forward(HttpServletRequest request, HttpServletResponse response) {
+        String url = request.getParameter("url");
+        // 验证URL是否为内部路径，防止路径遍历攻击
+        if (url == null || url.contains("..") || !url.startsWith("/")) {
+            try {
+                response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+                response.getWriter().write("Invalid URL path");
+                return;
+            } catch (IOException e) {
+                // 记录日志
+            }
+            return;
+        }
+        RequestDispatcher rd = request.getRequestDispatcher(url);
+        try {
+            rd.forward(request, response);
+        } catch (Exception e) {
+            // 记录日志
+            try {
+                response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+                response.getWriter().write("Error forwarding request");
+            } catch (IOException ex) {
+                // 记录日志
+            }
+        }
+    }
-    @RequestMapping("/forward")
-    @ResponseBody
-    public static void forward(HttpServletRequest request, HttpServletResponse response) {
-        String url = request.getParameter("url");
-        RequestDispatcher rd = request.getRequestDispatcher(url);
-        try {
-            rd.forward(request, response);
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-    }
+    @RequestMapping("/forward")
+    @ResponseBody
+    public void forward(HttpServletRequest request, HttpServletResponse response) {
+        String url = request.getParameter("url");
+        // 验证URL是否为内部路径，防止路径遍历攻击
+        if (url == null || url.contains("..") || !url.startsWith("/")) {
+            try {
+                response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+                response.getWriter().write("Invalid URL path");
+                return;
+            } catch (IOException e) {
+                // 记录日志
+            }
+            return;
+        }
+        RequestDispatcher rd = request.getRequestDispatcher(url);
+        try {
+            rd.forward(request, response);
+        } catch (Exception e) {
+            // 记录日志
+            try {
+                response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+                response.getWriter().write("Error forwarding request");
+            } catch (IOException ex) {
+                // 记录日志
+            }
+        }
+    }
+
+
+    /**
+     * Safe code of sendRedirect.
+     * http://localhost:8080/urlRedirect/sendRedirect/sec?url=http://www.baidu.com
+     */
+    @RequestMapping("/sendRedirect/sec")
+    @ResponseBody
+    public void sendRedirect_seccode(HttpServletRequest request, HttpServletResponse response)
+            throws IOException {
+        String url = request.getParameter("url");
+        if (SecurityUtil.checkURL(url) == null) {
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+            response.getWriter().write("url forbidden");
+            return;
+        }
+        response.sendRedirect(url);
+    }
+}