From e342a7db5601998901af4664c1effcbd11676b48 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Sat, 21 Sep 2024 04:54:31 +0000
Subject: [PATCH] Sandboxed URL creation to prevent SSRF attacks
---
.mvn/wrapper/MavenWrapperDownloader.java | 4 +++-
pom.xml | 10 ++++++++++
.../src/main/java/com/iluwatar/promise/Utility.java | 4 +++-
3 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/.mvn/wrapper/MavenWrapperDownloader.java b/.mvn/wrapper/MavenWrapperDownloader.java
index cfc696f0122a..3b17dc11fc4c 100644
--- a/.mvn/wrapper/MavenWrapperDownloader.java
+++ b/.mvn/wrapper/MavenWrapperDownloader.java
@@ -21,6 +21,8 @@
* THE SOFTWARE.
*/
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
import java.net.*;
import java.io.*;
import java.nio.channels.*;
@@ -113,7 +115,7 @@ protected PasswordAuthentication getPasswordAuthentication() {
}
});
}
- URL website = new URL(urlString);
+ URL website = Urls.create(urlString, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
ReadableByteChannel rbc;
rbc = Channels.newChannel(website.openStream());
FileOutputStream fos = new FileOutputStream(destination);
diff --git a/pom.xml b/pom.xml
index 10348ef0466a..c824b4c7d4a2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -54,6 +54,7 @@
iluwatar_java-design-patterns
${project.artifactId}
Java Design Patterns
+ 1.2.0
abstract-factory
@@ -248,6 +249,11 @@
${system-lambda.version}
test
+
+ io.github.pixee
+ java-security-toolkit
+ ${versions.java-security-toolkit}
+
@@ -268,6 +274,10 @@
lombok
provided
+
+ io.github.pixee
+ java-security-toolkit
+
diff --git a/promise/src/main/java/com/iluwatar/promise/Utility.java b/promise/src/main/java/com/iluwatar/promise/Utility.java
index 0976c8c751bc..2ecb9a967331 100644
--- a/promise/src/main/java/com/iluwatar/promise/Utility.java
+++ b/promise/src/main/java/com/iluwatar/promise/Utility.java
@@ -24,6 +24,8 @@
*/
package com.iluwatar.promise;
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
@@ -98,7 +100,7 @@ public static Integer countLines(String fileLocation) {
*/
public static String downloadFile(String urlString) throws IOException {
LOGGER.info("Downloading contents from url: {}", urlString);
- var url = new URL(urlString);
+ var url = Urls.create(urlString, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
var file = File.createTempFile("promise_pattern", null);
try (var bufferedReader = new BufferedReader(new InputStreamReader(url.openStream()));
var writer = new FileWriter(file)) {