add filter to check referer

Author: JoyChou93

README.md

@@ -37,6 +37,7 @@
 - [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
 - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)
+- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 

src/main/java/org/joychou/Application.java

@@ -3,10 +3,12 @@
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.boot.web.servlet.ServletComponentScan;
 import org.springframework.boot.web.support.SpringBootServletInitializer;
 import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
 
 
+@ServletComponentScan
 @SpringBootApplication
 // @EnableEurekaClient  // 测试Eureka请打开注释，防止控制台一直有warning
 public class Application extends SpringBootServletInitializer {

src/main/java/org/joychou/CsrfAccessDeniedHandler.java

@@ -13,13 +13,15 @@
 
 public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
 
-
+    /**
+     * @desc 返回自定义拦截页面
+     */
     @Override
     public void handle(HttpServletRequest request, HttpServletResponse response,
                        AccessDeniedException accessDeniedException) throws IOException, ServletException {
-        response.setContentType(MediaType.TEXT_HTML_VALUE);
-        response.setStatus(HttpServletResponse.SC_FORBIDDEN);
-        response.getWriter().write("CSRF check failed by JoyChou.");
+        response.setContentType(MediaType.TEXT_HTML_VALUE); // content-type: text/html
+        response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403 forbidden
+        response.getWriter().write("CSRF check failed by JoyChou.");  // response
     }
 
 }

src/main/java/org/joychou/WebSecurityConfig.java

@@ -37,6 +37,7 @@ protected void configure(HttpSecurity http) throws Exception {
                 .requireCsrfProtectionMatcher(csrfRequestMatcher)
                 .ignoringAntMatchers("/xxe/**", "/fastjon/**")  // 不进行csrf校验的uri，多个uri使用逗号分隔
                 .csrfTokenRepository(new CookieCsrfTokenRepository());
+        // 自定义csrf校验失败的代码，默认是返回403错误页面
         http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler());
         // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
     }

src/main/java/org/joychou/controller/CORS.java

@@ -1,6 +1,6 @@
 package org.joychou.controller;
 
-import org.joychou.utils.Security;
+import org.joychou.security.SecurityUtil;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -52,11 +52,10 @@ private static String vuls3(HttpServletResponse response) {
     @ResponseBody
     private static String seccode(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("Origin");
-        Security sec = new Security();
 
         // 如果origin不为空并且origin不在白名单内，认定为不安全。
         // 如果origin为空，表示是同域过来的请求或者浏览器直接发起的请求。
-        if ( origin != null && !sec.checkSafeUrl(origin, urlwhitelist) ) {
+        if ( origin != null && !SecurityUtil.checkURLbyEndsWith(origin, urlwhitelist) ) {
             return "Origin is not safe.";
         }
         response.setHeader("Access-Control-Allow-Origin", origin);

src/main/java/org/joychou/controller/FileUpload.java

@@ -9,6 +9,8 @@
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 
+import javax.imageio.ImageIO;
+import java.awt.image.BufferedImage;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
@@ -17,8 +19,6 @@
 import java.nio.file.Paths;
 import java.util.UUID;
 
-import static org.joychou.utils.Security.isImage;
-
 
 /**
  * @author: JoyChou (joychou@joychou.org)
@@ -154,4 +154,16 @@ private File convert(MultipartFile multiFile) throws Exception {
         fos.close();
         return convFile;
     }
+
+    /**
+     * @param file
+     * @desc 判断文件内容是否是图片
+     */
+    public static boolean isImage(File file) throws IOException {
+        BufferedImage bi = ImageIO.read(file);
+        if (bi == null) {
+            return false;
+        }
+        return true;
+    }
 }

src/main/java/org/joychou/controller/JSONP.java

@@ -1,6 +1,6 @@
 package org.joychou.controller;
 
-import org.joychou.utils.Security;
+import org.joychou.security.SecurityUtil;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
@@ -17,7 +17,7 @@
 public class JSONP {
 
     protected static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
-    protected static String[] urlwhitelist = {"joychou.com", "joychou.me"};
+    protected static String[] urlwhitelist = {"joychou.com", "joychou.org"};
 
 
     // http://localhost:8080/jsonp/referer?callback=test
@@ -31,19 +31,19 @@ private static String referer(HttpServletRequest request, HttpServletResponse re
     }
 
     /**
-     * Desc: 直接访问不限制Referer，非直接访问限制Referer (开发同学喜欢这样进行JSONP测试)
-     * URL:  http://localhost:8080/jsonp/emptyReferer?callback=test
+     * 直接访问不限制Referer，非直接访问限制Referer (开发同学喜欢这样进行JSONP测试)
+     * http://localhost:8080/jsonp/emptyReferer?callback=test
+     *
      */
     @RequestMapping("/emptyReferer")
     @ResponseBody
     private static String emptyReferer(HttpServletRequest request, HttpServletResponse response) {
         String referer = request.getHeader("referer");
         response.setHeader("Access-Control-Allow-Origin", "*");
-        Security sec = new Security();
 
         // 如果referer不为空，并且referer不在安全域名白名单内，return error
         // 导致空referer就会绕过校验。开发同学为了方便测试，不太喜欢校验空Referer
-        if (null != referer && !sec.checkSafeUrl(referer, urlwhitelist)) {
+        if (null != referer && !SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
             return "error";
         }
 
@@ -58,9 +58,8 @@ private static String sec(HttpServletRequest request, HttpServletResponse respon
         // JSONP的跨域设置
         response.setHeader("Access-Control-Allow-Origin", "*");
         String referer = request.getHeader("referer");
-        Security sec = new Security();
 
-        if (!sec.checkSafeUrl(referer, urlwhitelist)) {
+        if (!SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) {
             return "error";
         }