Add RestTemplate SSRF

JoyChou93 · JoyChou93 · commit e4190d6213d4 · 2022-10-21T20:13:28.000+08:00
diff --git a/src/main/java/org/joychou/config/HttpServiceConfig.java b/src/main/java/org/joychou/config/HttpServiceConfig.java
@@ -0,0 +1,38 @@
+package org.joychou.config;
+
+import org.springframework.boot.web.client.RestTemplateBuilder;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.client.SimpleClientHttpRequestFactory;
+import org.springframework.web.client.RestTemplate;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+
+
+class CustomClientHttpRequestFactory extends SimpleClientHttpRequestFactory {
+
+
+    @Override
+    protected void prepareConnection(HttpURLConnection connection, String httpMethod) throws IOException {
+        super.prepareConnection(connection, httpMethod);
+        // Use custom ClientHttpRequestFactory to set followRedirects false.
+        connection.setInstanceFollowRedirects(false);
+    }
+}
+
+@Configuration
+public class HttpServiceConfig {
+
+    @Bean
+    public RestTemplate restTemplateBanRedirects(RestTemplateBuilder builder) {
+        return builder.requestFactory(CustomClientHttpRequestFactory.class).build();
+    }
+
+
+    @Bean
+    public RestTemplate restTemplate(RestTemplateBuilder builder) {
+        return builder.build();
+    }
+
+}
diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java
@@ -2,12 +2,16 @@
 
 import org.joychou.security.SecurityUtil;
 import org.joychou.security.ssrf.SSRFException;
+import org.joychou.service.HttpService;
 import org.joychou.util.HttpUtils;
 import org.joychou.util.WebUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.*;
 
+import javax.annotation.Resource;
 import javax.servlet.http.HttpServletResponse;
 import java.io.*;
 import java.net.*;
@@ -23,8 +27,10 @@
 @RequestMapping("/ssrf")
 public class SSRF {
 
-    private static Logger logger = LoggerFactory.getLogger(SSRF.class);
+    private static final Logger logger = LoggerFactory.getLogger(SSRF.class);
 
+    @Resource
+    private HttpService httpService;
 
     /**
      * http://localhost:8080/ssrf/urlConnection/vuln?url=file:///etc/passwd
@@ -266,4 +272,27 @@ public String HttpSyncClients(@RequestParam("url") String url) {
     }
 
 
+    /**
+     * http://127.0.0.1:8080/ssrf/restTemplate/vuln?url=http://www.baidu.com <p>
+     * Only support HTTP protocol. <p>
+     * Redirects: GET HttpMethod follow redirects by default, other HttpMethods do not follow redirects<p>
+     * User-Agent: Java/1.8.0_102 <p>
+     */
+    @GetMapping("/restTemplate/vuln1")
+    public String RestTemplateUrlBanRedirects(String url){
+        HttpHeaders headers = new HttpHeaders();
+        headers.setContentType(MediaType.APPLICATION_JSON_UTF8);
+        return httpService.RequestHttpBanRedirects(url, headers);
+    }
+
+
+    @GetMapping("/restTemplate/vuln2")
+    public String RestTemplateUrl(String url){
+        HttpHeaders headers = new HttpHeaders();
+        headers.setContentType(MediaType.APPLICATION_JSON_UTF8);
+        return httpService.RequestHttp(url, headers);
+    }
+
+
+
 }
diff --git a/src/main/java/org/joychou/filter/OriginFilter.java b/src/main/java/org/joychou/filter/OriginFilter.java
@@ -6,8 +6,6 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-
-import org.apache.catalina.servlet4preview.http.HttpFilter;
 import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
diff --git a/src/main/java/org/joychou/impl/HttpServiceImpl.java b/src/main/java/org/joychou/impl/HttpServiceImpl.java
@@ -0,0 +1,44 @@
+package org.joychou.impl;
+
+
+import org.joychou.service.HttpService;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.ResponseEntity;
+import org.springframework.stereotype.Service;
+import org.springframework.web.client.RestTemplate;
+import org.springframework.http.HttpMethod;
+
+import javax.annotation.Resource;
+
+@Service
+public class HttpServiceImpl implements HttpService {
+
+    @Resource
+    private RestTemplate restTemplate;
+
+    @Resource
+    private RestTemplate restTemplateBanRedirects;
+
+    /**
+     * Http request by RestTemplate. Only support HTTP protocol. <p>
+     * Redirects: GET HttpMethod follow redirects by default, other HttpMethods do not follow redirects.<p>
+     * User-Agent: Java/1.8.0_102 <p>
+     */
+    public String RequestHttp(String url, HttpHeaders headers) {
+        HttpEntity<String> entity = new HttpEntity<>(headers);
+        ResponseEntity<String> re = restTemplate.exchange(url, HttpMethod.GET, entity, String.class);
+        return re.getBody();
+    }
+
+    /**
+     * Http request by RestTemplate. Only support HTTP protocol. <p>
+     * Redirects: Disable followRedirects.<p>
+     * User-Agent: Java/1.8.0_102 <p>
+     */
+    public String RequestHttpBanRedirects(String url, HttpHeaders headers) {
+        HttpEntity<String> entity = new HttpEntity<>(headers);
+        ResponseEntity<String> re = restTemplateBanRedirects.exchange(url, HttpMethod.GET, entity, String.class);
+        return re.getBody();
+    }
+}
diff --git a/src/main/java/org/joychou/service/HttpService.java b/src/main/java/org/joychou/service/HttpService.java
@@ -0,0 +1,11 @@
+package org.joychou.service;
+
+
+import org.springframework.http.HttpHeaders;
+
+public interface HttpService {
+
+    String RequestHttp(String url, HttpHeaders headers);
+
+    String RequestHttpBanRedirects(String url, HttpHeaders headers);
+}
diff --git a/src/main/java/org/joychou/util/HttpUtils.java b/src/main/java/org/joychou/util/HttpUtils.java
@@ -221,5 +221,4 @@ public static String HttpAsyncClients(String url) {
             }
         }
     }
-
 }
diff --git a/src/main/java/org/joychou/util/JwtUtils.java b/src/main/java/org/joychou/util/JwtUtils.java
@@ -83,6 +83,7 @@ public static Boolean verifyTokenByJavaJwt(String token) {
 
 
     public static String getNicknameByJavaJwt(String token) {
+        // If the signature is not verified, there will be security issues.
         if (!verifyTokenByJavaJwt(token)) {
             log.error("token is invalid");
             return null;

Original file line number	Diff line number	Diff line change
`@@ -221,5 +221,4 @@ public static String HttpAsyncClients(String url) {`
`221`	`221`	`}`
`222`	`222`	`}`
`223`	`223`	`}`
`224`		`-`
`225`	`224`	`}`