From 8ae897d0a34be7409e7669610125f2a28858d873 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Sat, 15 Jun 2024 13:09:11 +0000
Subject: [PATCH] Sandboxed URL creation to prevent SSRF attacks
---
pom.xml | 6 ++++++
promise/pom.xml | 4 ++++
promise/src/main/java/com/iluwatar/promise/Utility.java | 4 +++-
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 10348ef0466a..f9dce3220884 100644
--- a/pom.xml
+++ b/pom.xml
@@ -54,6 +54,7 @@
iluwatar_java-design-patterns
${project.artifactId}
Java Design Patterns
+ 1.1.3
abstract-factory
@@ -248,6 +249,11 @@
${system-lambda.version}
test
+
+ io.github.pixee
+ java-security-toolkit
+ ${versions.java-security-toolkit}
+
diff --git a/promise/pom.xml b/promise/pom.xml
index 7a104ee3bf14..708c43ed0511 100644
--- a/promise/pom.xml
+++ b/promise/pom.xml
@@ -44,6 +44,10 @@
mockito-core
test
+
+ io.github.pixee
+ java-security-toolkit
+
diff --git a/promise/src/main/java/com/iluwatar/promise/Utility.java b/promise/src/main/java/com/iluwatar/promise/Utility.java
index 0976c8c751bc..2ecb9a967331 100644
--- a/promise/src/main/java/com/iluwatar/promise/Utility.java
+++ b/promise/src/main/java/com/iluwatar/promise/Utility.java
@@ -24,6 +24,8 @@
*/
package com.iluwatar.promise;
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
@@ -98,7 +100,7 @@ public static Integer countLines(String fileLocation) {
*/
public static String downloadFile(String urlString) throws IOException {
LOGGER.info("Downloading contents from url: {}", urlString);
- var url = new URL(urlString);
+ var url = Urls.create(urlString, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
var file = File.createTempFile("promise_pattern", null);
try (var bufferedReader = new BufferedReader(new InputStreamReader(url.openStream()));
var writer = new FileWriter(file)) {