mirror of
https://github.com/Stirling-Tools/Stirling-PDF.git
synced 2025-08-05 12:05:22 +00:00
url fixes
This commit is contained in:
Anthony Stirling
parent
361151e9a7
commit
d338ac88fd
@ -290,6 +290,7 @@ public class ApplicationProperties {
|
||||
private Datasource datasource;
|
||||
private Boolean disableSanitize;
|
||||
private Boolean enableUrlToPDF;
|
||||
private Html html = new Html();
|
||||
private CustomPaths customPaths = new CustomPaths();
|
||||
private String fileUploadLimit;
|
||||
private TempFileManagement tempFileManagement = new TempFileManagement();
|
||||
@ -342,6 +343,25 @@ public class ApplicationProperties {
|
||||
}
|
||||
}
|
||||
|
||||
@Data
|
||||
public static class Html {
|
||||
private UrlSecurity urlSecurity = new UrlSecurity();
|
||||
|
||||
@Data
|
||||
public static class UrlSecurity {
|
||||
private boolean enabled = true;
|
||||
private String level = "MEDIUM"; // MAX, MEDIUM, OFF
|
||||
private List<String> allowedDomains = new ArrayList<>();
|
||||
private List<String> blockedDomains = new ArrayList<>();
|
||||
private List<String> internalTlds =
|
||||
Arrays.asList(".local", ".internal", ".corp", ".home");
|
||||
private boolean blockPrivateNetworks = true;
|
||||
private boolean blockLocalhost = true;
|
||||
private boolean blockLinkLocal = true;
|
||||
private boolean blockCloudMetadata = true;
|
||||
}
|
||||
}
|
||||
|
||||
@Data
|
||||
public static class Datasource {
|
||||
private boolean enableCustomDatabase;
|
||||
|
||||
@ -0,0 +1,205 @@
|
||||
package stirling.software.common.service;
|
||||
|
||||
import java.net.InetAddress;
|
||||
import java.net.URI;
|
||||
import java.net.UnknownHostException;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import org.springframework.stereotype.Service;
|
||||
|
||||
import lombok.RequiredArgsConstructor;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
|
||||
import stirling.software.common.model.ApplicationProperties;
|
||||
|
||||
@Service
|
||||
@RequiredArgsConstructor
|
||||
@Slf4j
|
||||
public class SsrfProtectionService {
|
||||
|
||||
private final ApplicationProperties applicationProperties;
|
||||
|
||||
private static final Pattern DATA_URL_PATTERN =
|
||||
Pattern.compile("^data:.*", Pattern.CASE_INSENSITIVE);
|
||||
private static final Pattern FRAGMENT_PATTERN = Pattern.compile("^#.*");
|
||||
|
||||
public enum SsrfProtectionLevel {
|
||||
OFF, // No SSRF protection - allows all URLs
|
||||
MEDIUM, // Block internal networks but allow external URLs
|
||||
MAX // Block all external URLs - only data: and fragments
|
||||
}
|
||||
|
||||
public boolean isUrlAllowed(String url) {
|
||||
ApplicationProperties.Html.UrlSecurity config =
|
||||
applicationProperties.getSystem().getHtml().getUrlSecurity();
|
||||
|
||||
if (!config.isEnabled()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (url == null || url.trim().isEmpty()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
String trimmedUrl = url.trim();
|
||||
|
||||
// Always allow data URLs and fragments
|
||||
if (DATA_URL_PATTERN.matcher(trimmedUrl).matches()
|
||||
|| FRAGMENT_PATTERN.matcher(trimmedUrl).matches()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
SsrfProtectionLevel level = parseProtectionLevel(config.getLevel());
|
||||
|
||||
switch (level) {
|
||||
case OFF:
|
||||
return true;
|
||||
case MAX:
|
||||
return isMaxSecurityAllowed(trimmedUrl, config);
|
||||
case MEDIUM:
|
||||
return isMediumSecurityAllowed(trimmedUrl, config);
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
private SsrfProtectionLevel parseProtectionLevel(String level) {
|
||||
try {
|
||||
return SsrfProtectionLevel.valueOf(level.toUpperCase());
|
||||
} catch (IllegalArgumentException e) {
|
||||
log.warn("Invalid SSRF protection level '{}', defaulting to MEDIUM", level);
|
||||
return SsrfProtectionLevel.MEDIUM;
|
||||
}
|
||||
}
|
||||
|
||||
private boolean isMaxSecurityAllowed(
|
||||
String url, ApplicationProperties.Html.UrlSecurity config) {
|
||||
// MAX security: only allow explicitly whitelisted domains
|
||||
try {
|
||||
URI uri = new URI(url);
|
||||
String host = uri.getHost();
|
||||
|
||||
if (host == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return config.getAllowedDomains().contains(host.toLowerCase());
|
||||
|
||||
} catch (Exception e) {
|
||||
log.debug("Failed to parse URL for MAX security check: {}", url, e);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
private boolean isMediumSecurityAllowed(
|
||||
String url, ApplicationProperties.Html.UrlSecurity config) {
|
||||
try {
|
||||
URI uri = new URI(url);
|
||||
String host = uri.getHost();
|
||||
|
||||
if (host == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
String hostLower = host.toLowerCase();
|
||||
|
||||
// Check explicit blocked domains
|
||||
if (config.getBlockedDomains().contains(hostLower)) {
|
||||
log.debug("URL blocked by explicit domain blocklist: {}", url);
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check internal TLD patterns
|
||||
for (String tld : config.getInternalTlds()) {
|
||||
if (hostLower.endsWith(tld.toLowerCase())) {
|
||||
log.debug("URL blocked by internal TLD pattern '{}': {}", tld, url);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
// If allowedDomains is specified, only allow those
|
||||
if (!config.getAllowedDomains().isEmpty()) {
|
||||
boolean isAllowed =
|
||||
config.getAllowedDomains().stream()
|
||||
.anyMatch(
|
||||
domain ->
|
||||
hostLower.equals(domain.toLowerCase())
|
||||
|| hostLower.endsWith(
|
||||
"." + domain.toLowerCase()));
|
||||
|
||||
if (!isAllowed) {
|
||||
log.debug("URL not in allowed domains list: {}", url);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
// Resolve hostname to IP address for network-based checks
|
||||
try {
|
||||
InetAddress address = InetAddress.getByName(host);
|
||||
|
||||
if (config.isBlockPrivateNetworks() && isPrivateAddress(address)) {
|
||||
log.debug("URL blocked - private network address: {}", url);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (config.isBlockLocalhost() && address.isLoopbackAddress()) {
|
||||
log.debug("URL blocked - localhost address: {}", url);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (config.isBlockLinkLocal() && address.isLinkLocalAddress()) {
|
||||
log.debug("URL blocked - link-local address: {}", url);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (config.isBlockCloudMetadata()
|
||||
&& isCloudMetadataAddress(address.getHostAddress())) {
|
||||
log.debug("URL blocked - cloud metadata endpoint: {}", url);
|
||||
return false;
|
||||
}
|
||||
|
||||
} catch (UnknownHostException e) {
|
||||
log.debug("Failed to resolve hostname for SSRF check: {}", host, e);
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
|
||||
} catch (Exception e) {
|
||||
log.debug("Failed to parse URL for MEDIUM security check: {}", url, e);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
private boolean isPrivateAddress(InetAddress address) {
|
||||
return address.isSiteLocalAddress()
|
||||
|| address.isAnyLocalAddress()
|
||||
|| isPrivateIPv4Range(address.getHostAddress());
|
||||
}
|
||||
|
||||
private boolean isPrivateIPv4Range(String ip) {
|
||||
return ip.startsWith("10.")
|
||||
|| ip.startsWith("192.168.")
|
||||
|| (ip.startsWith("172.") && isInRange172(ip))
|
||||
|| ip.startsWith("127.")
|
||||
|| ip.equals("0.0.0.0");
|
||||
}
|
||||
|
||||
private boolean isInRange172(String ip) {
|
||||
String[] parts = ip.split("\\.");
|
||||
if (parts.length >= 2) {
|
||||
try {
|
||||
int secondOctet = Integer.parseInt(parts[1]);
|
||||
return secondOctet >= 16 && secondOctet <= 31;
|
||||
} catch (NumberFormatException e) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
private boolean isCloudMetadataAddress(String ip) {
|
||||
// AWS/GCP/Azure metadata endpoints
|
||||
return ip.startsWith("169.254.169.254") || ip.startsWith("fd00:ec2::254");
|
||||
}
|
||||
}
|
||||
@ -1,21 +1,64 @@
|
||||
package stirling.software.common.util;
|
||||
|
||||
import org.owasp.html.AttributePolicy;
|
||||
import org.owasp.html.HtmlPolicyBuilder;
|
||||
import org.owasp.html.PolicyFactory;
|
||||
import org.owasp.html.Sanitizers;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.stereotype.Component;
|
||||
|
||||
import stirling.software.common.service.SsrfProtectionService;
|
||||
|
||||
@Component
|
||||
public class CustomHtmlSanitizer {
|
||||
|
||||
private static SsrfProtectionService ssrfProtectionService;
|
||||
|
||||
@Autowired
|
||||
public void setSsrfProtectionService(SsrfProtectionService ssrfProtectionService) {
|
||||
CustomHtmlSanitizer.ssrfProtectionService = ssrfProtectionService;
|
||||
}
|
||||
|
||||
private static final AttributePolicy SSRF_SAFE_URL_POLICY =
|
||||
new AttributePolicy() {
|
||||
@Override
|
||||
public String apply(String elementName, String attributeName, String value) {
|
||||
if (value == null || value.trim().isEmpty()) {
|
||||
return null;
|
||||
}
|
||||
|
||||
String trimmedValue = value.trim();
|
||||
|
||||
// Use the SSRF protection service to validate the URL
|
||||
if (ssrfProtectionService != null
|
||||
&& !ssrfProtectionService.isUrlAllowed(trimmedValue)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return trimmedValue;
|
||||
}
|
||||
};
|
||||
|
||||
private static final PolicyFactory SSRF_SAFE_IMAGES_POLICY =
|
||||
new HtmlPolicyBuilder()
|
||||
.allowElements("img")
|
||||
.allowAttributes("alt", "width", "height", "title")
|
||||
.onElements("img")
|
||||
.allowAttributes("src")
|
||||
.matching(SSRF_SAFE_URL_POLICY)
|
||||
.onElements("img")
|
||||
.toFactory();
|
||||
|
||||
private static final PolicyFactory POLICY =
|
||||
Sanitizers.FORMATTING
|
||||
.and(Sanitizers.BLOCKS)
|
||||
.and(Sanitizers.STYLES)
|
||||
.and(Sanitizers.LINKS)
|
||||
.and(Sanitizers.TABLES)
|
||||
.and(Sanitizers.IMAGES)
|
||||
.and(SSRF_SAFE_IMAGES_POLICY)
|
||||
.and(new HtmlPolicyBuilder().disallowElements("noscript").toFactory());
|
||||
|
||||
public static String sanitize(String html) {
|
||||
String htmlAfter = POLICY.sanitize(html);
|
||||
return htmlAfter;
|
||||
return POLICY.sanitize(html);
|
||||
}
|
||||
}
|
||||
|
||||
@ -47,7 +47,8 @@ public class PrintFileController {
|
||||
throws IOException {
|
||||
MultipartFile file = request.getFileInput();
|
||||
String originalFilename = file.getOriginalFilename();
|
||||
if (originalFilename != null && (originalFilename.contains("..") || Paths.get(originalFilename).isAbsolute())) {
|
||||
if (originalFilename != null
|
||||
&& (originalFilename.contains("..") || Paths.get(originalFilename).isAbsolute())) {
|
||||
throw new IOException("Invalid file path detected: " + originalFilename);
|
||||
}
|
||||
String printerName = request.getPrinterName();
|
||||
|
||||
@ -42,7 +42,6 @@ import stirling.software.common.service.CustomPDFDocumentFactory;
|
||||
import stirling.software.common.util.TempFile;
|
||||
import stirling.software.common.util.TempFileManager;
|
||||
import stirling.software.common.util.WebResponseUtils;
|
||||
import java.lang.IllegalArgumentException;
|
||||
|
||||
@RestController
|
||||
@RequestMapping("/api/v1/misc")
|
||||
|
||||
@ -331,7 +331,8 @@ public class PipelineProcessor {
|
||||
for (File file : files) {
|
||||
Path normalizedPath = Paths.get(file.getName()).normalize();
|
||||
if (normalizedPath.startsWith("..")) {
|
||||
throw new SecurityException("Potential path traversal attempt in file name: " + file.getName());
|
||||
throw new SecurityException(
|
||||
"Potential path traversal attempt in file name: " + file.getName());
|
||||
}
|
||||
Path path = Paths.get(file.getAbsolutePath());
|
||||
// debug statement
|
||||
|
||||
@ -83,7 +83,9 @@ public class WatermarkController {
|
||||
MultipartFile watermarkImage = request.getWatermarkImage();
|
||||
if (watermarkImage != null) {
|
||||
String watermarkImageFileName = watermarkImage.getOriginalFilename();
|
||||
if (watermarkImageFileName != null && (watermarkImageFileName.contains("..") || watermarkImageFileName.startsWith("/"))) {
|
||||
if (watermarkImageFileName != null
|
||||
&& (watermarkImageFileName.contains("..")
|
||||
|| watermarkImageFileName.startsWith("/"))) {
|
||||
throw new SecurityException("Invalid file path in watermarkImage");
|
||||
}
|
||||
}
|
||||
|
||||
@ -108,6 +108,17 @@ system:
|
||||
enableAnalytics: null # set to 'true' to enable analytics, set to 'false' to disable analytics; for enterprise users, this is set to true
|
||||
enableUrlToPDF: false # Set to 'true' to enable URL to PDF, INTERNAL ONLY, known security issues, should not be used externally
|
||||
disableSanitize: false # set to true to disable Sanitize HTML; (can lead to injections in HTML)
|
||||
html:
|
||||
urlSecurity:
|
||||
enabled: true # Enable URL security restrictions for HTML processing
|
||||
level: MEDIUM # Security level: MAX (whitelist only), MEDIUM (block internal networks), OFF (no restrictions)
|
||||
allowedDomains: [] # Whitelist of allowed domains (e.g. ['cdn.example.com', 'images.google.com'])
|
||||
blockedDomains: [] # Additional domains to block (e.g. ['evil.com', 'malicious.org'])
|
||||
internalTlds: ['.local', '.internal', '.corp', '.home'] # Block domains with these TLD patterns
|
||||
blockPrivateNetworks: true # Block RFC 1918 private networks (10.x.x.x, 192.168.x.x, 172.16-31.x.x)
|
||||
blockLocalhost: true # Block localhost and loopback addresses (127.x.x.x, ::1)
|
||||
blockLinkLocal: true # Block link-local addresses (169.254.x.x, fe80::/10)
|
||||
blockCloudMetadata: true # Block cloud provider metadata endpoints (169.254.169.254)
|
||||
datasource:
|
||||
enableCustomDatabase: false # Enterprise users ONLY, set this property to 'true' if you would like to use your own custom database configuration
|
||||
customDatabaseUrl: '' # eg jdbc:postgresql://localhost:5432/postgres, set the url for your own custom database connection. If provided, the type, hostName, port and name are not necessary and will not be used
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user