hao123skyblue
diff --git a/‎src/main/java/org/joychou/config/WebConfig.java
+48-9 b/‎src/main/java/org/joychou/config/WebConfig.java
+48-9
diff --git a/‎src/main/java/org/joychou/controller/FileUpload.java
+30-7 b/‎src/main/java/org/joychou/controller/FileUpload.java
+30-7
diff --git a/‎src/main/java/org/joychou/controller/URLWhiteList.java
+45-58 b/‎src/main/java/org/joychou/controller/URLWhiteList.java
+45-58
@@ -12,30 +12,59 @@
 @Component
 public class WebConfig {
 
-    private static Boolean referSecEnabled = false;
     private static String[] callbacks;
+    private static Boolean  jsonpReferCheckEnabled = false;
+    private static String[] jsonpRefererHost;
     private static String[] referWhitelist;
     private static String[] referUris;
+    private static Boolean referSecEnabled = false;
+    private static String businessCallback;
 
-    @Value("${joychou.security.referer.enabled}")
-    public void setReferSecEnabled(Boolean referSecEnabled){
-        WebConfig.referSecEnabled = referSecEnabled;
+    /**
+     * application.properties里object自动转jsonp的referer校验开关
+     * @param jsonpReferCheckEnabled jsonp校验开关
+     */
+    @Value("${joychou.security.jsonp.referer.check.enabled}")
+    public void setJsonpReferCheckEnabled(Boolean jsonpReferCheckEnabled){
+        WebConfig.jsonpReferCheckEnabled = jsonpReferCheckEnabled;
     }
-    public static Boolean getReferSecEnabled(){
-        return referSecEnabled;
+    public static Boolean getJsonpReferCheckEnabled(){
+        return jsonpReferCheckEnabled;
     }
 
 
     @Value("${joychou.security.jsonp.callback}")
-    public void setCallbacks(String[] callbacks){
+    public void setJsonpCallbacks(String[] callbacks){
         WebConfig.callbacks = callbacks;
     }
-    public static String[] getCallbacks(){
+    public static String[] getJsonpCallbacks(){
         return callbacks;
     }
 
 
-    @Value("${joychou.security.referer.hostwhitelist}")
+    /**
+     * application.properties里object自动转jsonp的referer白名单域名
+     * @param jsonpRefererHost 白名单域名，仅支持一级域名
+     */
+    @Value("${joychou.security.jsonp.referer.host}")
+    public void setJsonpReferWhitelist(String[] jsonpRefererHost){
+        WebConfig.jsonpRefererHost = jsonpRefererHost;
+    }
+    public static String[] getJsonpReferWhitelist(){
+        return jsonpRefererHost;
+    }
+
+
+    @Value("${joychou.security.referer.enabled}")
+    public void setReferSecEnabled(Boolean referSecEnabled){
+        WebConfig.referSecEnabled = referSecEnabled;
+    }
+    public static Boolean getReferSecEnabled(){
+        return referSecEnabled;
+    }
+
+
+    @Value("${joychou.security.referer.host}")
     public void setReferWhitelist(String[] referWhitelist){
         WebConfig.referWhitelist = referWhitelist;
     }
@@ -52,4 +81,14 @@ public void setReferUris(String[] referUris)
     public static String[] getReferUris(){
         return referUris;
     }
+
+
+    @Value("${joychou.business.callback}")
+    public void setBusinessCallback(String businessCallback){
+        WebConfig.businessCallback = businessCallback;
+    }
+    public static String getBusinessCallback(){
+        return businessCallback;
+    }
+
 }
@@ -1,6 +1,8 @@
 package org.joychou.controller;
 
 import com.fasterxml.uuid.Generators;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -23,7 +25,7 @@
 /**
  * @author  JoyChou ([email protected])
  * @date    2018.08.15
- * @desc    Java file upload
+ * @desc    File upload
  */
 
 @Controller
@@ -32,6 +34,7 @@ public class FileUpload {
 
     // Save the uploaded file to this folder
     private static String UPLOADED_FOLDER = "/tmp/";
+    private final Logger logger= LoggerFactory.getLogger(this.getClass());
 
     @GetMapping("/")
     public String index() {
@@ -80,22 +83,42 @@ public String uploadPicture(@RequestParam("file") MultipartFile multifile,
             return "redirect:/file/status";
         }
 
-        // get suffix
         String fileName = multifile.getOriginalFilename();
-        String Suffix = fileName.substring(fileName.lastIndexOf("."));
-
+        String Suffix = fileName.substring(fileName.lastIndexOf(".")); // 获取文件后缀名
+        String mimeType = multifile.getContentType(); // 获取MIME类型
         File excelFile = convert(multifile);
 
-        // security check
-        String picSuffixList[] = {".jpg", ".png", ".jpeg", ".gif", ".bmp"};
+        // 判断文件后缀名是否在白名单内
+        String picSuffixList[] = {".jpg", ".png", ".jpeg", ".gif", ".bmp"};  // 后缀名白名单
         Boolean suffixFlag = false;
         for (String white_suffix : picSuffixList) {
             if (Suffix.toLowerCase().equals(white_suffix)) {
                 suffixFlag = true;
                 break;
             }
         }
-        if ( !suffixFlag || !isImage(excelFile) ) {
+
+        if (!suffixFlag) {
+            logger.error("[-] Suffix error: " + Suffix);
+        }
+
+        String mimeTypeBlackList[] = {"text/html"}; // 不允许传html
+
+        Boolean mimeBlackFlag = false;
+        for (String blackMimeType : mimeTypeBlackList) {
+            if (mimeType.equalsIgnoreCase(blackMimeType) ) {
+                mimeBlackFlag = true;
+                logger.error("[-] Mime type error: " + mimeType);
+                break;
+            }
+        }
+
+        boolean isImageFlag = isImage(excelFile);
+
+        if( !isImageFlag ){
+            logger.error("[-] File is not Image");
+        }
+        if ( !suffixFlag || mimeBlackFlag || !isImageFlag ) {
             redirectAttributes.addFlashAttribute("message", "illeagl picture");
             deleteFile(excelFile);
             return "redirect:/file/status";
 
@@ -1,11 +1,10 @@
 package org.joychou.controller;
 
 
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.bind.annotation.*;
 
-import javax.servlet.http.HttpServletRequest;
 import java.net.URI;
 import java.net.URL;
 import java.util.ArrayList;
@@ -20,22 +19,20 @@
  * @version   2018.08.23
  */
 
-@Controller
+@RestController
 @RequestMapping("/url")
 public class URLWhiteList {
 
 
     private String domainwhitelist[] = {"joychou.org", "joychou.com"};
-
+    private static final Logger logger = LoggerFactory.getLogger(URLWhiteList.class);
     /**
      * bypass poc: bypassjoychou.org
-     * http://localhost:8080/url/endswith?url=http://aaajoychou.org
+     * http://localhost:8080/url/vuln/endswith?url=http://aaajoychou.org
      *
      */
-    @RequestMapping("/endswith")
-    @ResponseBody
-    public String endsWith(HttpServletRequest request) throws Exception{
-        String url = request.getParameter("url");
+    @GetMapping("/vuln/endsWith")
+    public String endsWith(@RequestParam("url") String url) throws Exception{
         URL u = new URL(url);
         String host = u.getHost().toLowerCase();
 
@@ -47,15 +44,15 @@ public String endsWith(HttpServletRequest request) throws Exception{
         return "Bad url.";
     }
 
+
     /**
      * bypass poc: joychou.org.bypass.com or bypassjoychou.org.
-     * http://localhost:8080/url/contains?url=http://joychou.org.bypass.com http://bypassjoychou.org
+     * http://localhost:8080/url/vuln/contains?url=http://joychou.org.bypass.com
+     * http://localhost:8080/url/vuln/contains?url=http://bypassjoychou.org
      *
      */
-    @RequestMapping("/contains")
-    @ResponseBody
-    public String contains(HttpServletRequest request) throws Exception{
-        String url = request.getParameter("url");
+    @GetMapping("/vuln/contains")
+    public String contains(@RequestParam("url") String url) throws Exception{
         URL u = new URL(url);
         String host = u.getHost().toLowerCase();
 
@@ -70,13 +67,11 @@ public String contains(HttpServletRequest request) throws Exception{
 
     /**
      * bypass poc: bypassjoychou.org. It's the same with endsWith.
-     * http://localhost:8080/url/regex?url=http://aaajoychou.org
+     * http://localhost:8080/url/vuln/regex?url=http://aaajoychou.org
      *
      */
-    @RequestMapping("/regex")
-    @ResponseBody
-    public String regex(HttpServletRequest request) throws Exception{
-        String url = request.getParameter("url");
+    @GetMapping("/vuln/regex")
+    public String regex(@RequestParam("url") String url) throws Exception{
         URL u = new URL(url);
         String host = u.getHost().toLowerCase();
 
@@ -92,15 +87,14 @@ public String regex(HttpServletRequest request) throws Exception{
 
     /**
      * bypass poc: joychou.org.bypass.com or bypassjoychou.org. It's the same with contains.
-     * http://localhost:8080/url/indexof?url=http://joychou.org.bypass.com http://bypassjoychou.org
+     * http://localhost:8080/url/vuln/indexOf?url=http://joychou.org.bypass.com http://bypassjoychou.org
      *
      */
-    @RequestMapping("/indexof")
-    @ResponseBody
-    public String indexOf(HttpServletRequest request) throws Exception{
-        String url = request.getParameter("url");
+    @GetMapping("/vuln/indexOf")
+    public String indexOf(@RequestParam("url") String url) throws Exception{
         URL u = new URL(url);
         String host = u.getHost();
+
         // If indexOf returns -1, it means that no string was found.
         for (String domain: domainwhitelist){
             if (host.indexOf(domain) != -1) {
@@ -113,24 +107,22 @@ public String indexOf(HttpServletRequest request) throws Exception{
     /**
      * The bypass of using java.net.URL to getHost.
      *
-     * Bypass poc1: curl -v 'http://localhost:8080/url/url_bypass?url=http://evel.com%[email protected]/a.html'
-     * Bypass poc2: curl -v 'http://localhost:8080/url/url_bypass?url=http://evil.com%5cwww.joychou.org/a.html'
+     * Bypass poc1: curl -v 'http://localhost:8080/url/vuln/url_bypass?url=http://evel.com%[email protected]/a.html'
+     * Bypass poc2: curl -v 'http://localhost:8080/url/vuln/url_bypass?url=http://evil.com%5cwww.joychou.org/a.html'
      *
      * Detail: https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass
      */
-    @RequestMapping("/url_bypass")
-    @ResponseBody
-    public String url_bypass(HttpServletRequest request) throws Exception{
-        String url = request.getParameter("url");
-        System.out.println("url:  " + url);
+    @GetMapping("/vuln/url_bypass")
+    public String url_bypass(@RequestParam("url") String url) throws Exception{
+        logger.info("url:  " + url);
         URL u = new URL(url);
 
         if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
             return "Url is not http or https";
         }
 
         String host = u.getHost().toLowerCase();
-        System.out.println("host:  " + host);
+        logger.info("host:  " + host);
 
         // endsWith .
         for (String domain: domainwhitelist){
@@ -145,18 +137,16 @@ public String url_bypass(HttpServletRequest request) throws Exception{
 
 
     /**
-     * First-level host whitelist.
-     * http://localhost:8080/url/seccode1?url=http://aa.taobao.com
+     * 一级域名白名单 First-level host whitelist.
+     * http://localhost:8080/url/sec/endswith?url=http://aa.joychou.org
      *
      */
-    @RequestMapping("/seccode1")
-    @ResponseBody
-    public String seccode1(HttpServletRequest request) throws Exception{
+    @GetMapping("/sec/endswith")
+    public String sec_endswith(@RequestParam("url") String url) throws Exception{
 
-        String whiteDomainlists[] = {"taobao.com", "tmall.com"};
-        String url = request.getParameter("url");
+        String whiteDomainlists[] = {"joychou.org", "joychou.com"};
 
-        URI uri = new URI(url);
+        URI uri = new URI(url); // 必须用URI
         if (!url.startsWith("http://") && !url.startsWith("https://")) {
             return "SecurityUtil is not http or https";
         }
@@ -174,15 +164,13 @@ public String seccode1(HttpServletRequest request) throws Exception{
     }
 
     /**
-     * Muti-level host whitelist.
-     * http://localhost:8080/url/seccode2?url=http://ccc.bbb.taobao.com
+     * 多级域名白名单 Multi-level host whitelist.
+     * http://localhost:8080/url/sec/multi_level_hos?url=http://ccc.bbb.joychou.org
      *
      */
-    @RequestMapping("/seccode2")
-    @ResponseBody
-    public String seccode2(HttpServletRequest request) throws Exception{
-        String whiteDomainlists[] = {"aaa.taobao.com", "ccc.bbb.taobao.com"};
-        String url = request.getParameter("url");
+    @GetMapping("/sec/multi_level_host")
+    public String sec_multi_level_host(@RequestParam("url") String url) throws Exception{
+        String whiteDomainlists[] = {"aaa.joychou.org", "ccc.bbb.joychou.org"};
 
         URI uri = new URI(url);
         if (!url.startsWith("http://") && !url.startsWith("https://")) {
@@ -199,21 +187,20 @@ public String seccode2(HttpServletRequest request) throws Exception{
         return "Bad url.";
     }
 
+
     /**
-     * Muti-level host whitelist.
-     * http://localhost:8080/url/seccode3?url=http://ccc.bbb.taobao.com
+     * 多级域名白名单 Multi-level host whitelist.
+     * http://localhost:8080/url/sec/array_indexOf?url=http://ccc.bbb.joychou.org
      *
      */
-    @RequestMapping("/seccode3")
-    @ResponseBody
-    public String seccode3(HttpServletRequest request) throws Exception{
+    @GetMapping("/sec/array_indexOf")
+    public String sec_array_indexOf(@RequestParam("url") String url) throws Exception{
 
         // Define muti-level host whitelist.
-        ArrayList<String> whiteDomainlists = new ArrayList<String>();
-        whiteDomainlists.add("bbb.taobao.com");
-        whiteDomainlists.add("ccc.bbb.taobao.com");
+        ArrayList<String> whiteDomainlists = new ArrayList<>();
+        whiteDomainlists.add("bbb.joychou.org");
+        whiteDomainlists.add("ccc.bbb.joychou.org");
 
-        String url = request.getParameter("url");
         URI uri = new URI(url);
 
         if (!url.startsWith("http://") && !url.startsWith("https://")) {