add CVE-2022-22978

Author: JoyChou93

README.md

@@ -30,6 +30,7 @@ Sort by letter.
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
+- [CVE-2022-22978](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
 - [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
 - [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)

README_zh.md

@@ -26,6 +26,7 @@ joychou/joychou123
 - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
 - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
 - [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
+- [CVE-2022-22978](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
 - [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
 - [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)

src/main/java/org/joychou/controller/Dotall.java

@@ -0,0 +1,32 @@
+package org.joychou.controller;
+
+
+
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+import java.util.regex.Pattern;
+
+
+/**
+ * Spring Security CVE-2022-22978 <p>
+ * <a href="https://github.com/JoyChou93/java-sec-code/wiki/CVE-2022-22978">漏洞相关wiki</a>
+ * @author JoyChou @2023-01-212
+ */
+
+public class Dotall {
+
+
+    /**
+     * <a href="https://github.com/spring-projects/spring-security/compare/5.5.6..5.5.7">官方spring-security修复commit记录</a>
+     * 漏洞描述：h
+     */
+    public static void main(String[] args) throws Exception{
+        Pattern vuln_pattern = Pattern.compile("/black_path.*");
+        Pattern sec_pattern = Pattern.compile("/black_path.*", Pattern.DOTALL);
+
+        String poc = URLDecoder.decode("/black_path%0a/xx", StandardCharsets.UTF_8.toString());
+        System.out.println("Poc: " + poc);
+        System.out.println("Not dotall: " + vuln_pattern.matcher(poc).matches());    // false，非dotall无法匹配\r\n
+        System.out.println("Dotall: " + sec_pattern.matcher(poc).matches());         // true，dotall可以匹配\r\n
+    }
+}

src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java

@@ -29,7 +29,7 @@ public void handle(HttpServletRequest request, HttpServletResponse response,
 
         response.setContentType(MediaType.TEXT_HTML_VALUE); // content-type: text/html
         response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403 forbidden
-        response.getWriter().write("CSRF check failed by JoyChou.");  // response contents
+        response.getWriter().write("403 forbidden by JoyChou.");  // response contents
     }
 
 }

src/main/java/org/joychou/security/WebSecurityConfig.java

@@ -62,13 +62,16 @@ protected void configure(HttpSecurity http) throws Exception {
                 .ignoringAntMatchers(csrfExcludeUrl)  // 不进行csrf校验的uri，多个uri使用逗号分隔
                 .csrfTokenRepository(new CookieCsrfTokenRepository());
         http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler());
-        // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());«
+
+        // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
 
         http.cors();
 
         // spring security login settings
         http.authorizeRequests()
                 .antMatchers("/css/**", "/js/**").permitAll() // permit static resources
+                // CVE-2022-22978漏洞代码
+                .regexMatchers("/black_path.*").denyAll()    // 如果正则匹配到/black_path，则forbidden
                 .anyRequest().authenticated().and() // any request authenticated except above static resources
                 .formLogin().loginPage("/login").permitAll() // permit all to access /login page
                 .successHandler(new LoginSuccessHandler())

src/main/java/org/joychou/util/HttpUtils.java

@@ -146,7 +146,7 @@ public static String HttpURLConnection(String url) {
     public static String Jsoup(String url) {
         try {
             Document doc = Jsoup.connect(url)
-                    //.followRedirects(false)
+//                    .followRedirects(false)
                     .timeout(3000)
                     .cookie("name", "joychou") // request cookies
                     .execute().parse();
@@ -164,7 +164,7 @@ public static String Jsoup(String url) {
      */
     public static String okhttp(String url) throws IOException {
         OkHttpClient client = new OkHttpClient();
-        // client.setFollowRedirects(false);
+//         client.setFollowRedirects(false);
         com.squareup.okhttp.Request ok_http = new com.squareup.okhttp.Request.Builder().url(url).build();
         return client.newCall(ok_http).execute().body().string();
     }