fix Snyk SSRF warning.

zkoss · Dec 11, 2023 · 38b027b · 38b027b
1 parent 45169f8
commit 38b027b
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 0 deletions.
diff --git a/zk/src/main/java/org/zkoss/zk/ui/http/DHtmlLayoutServlet.java b/zk/src/main/java/org/zkoss/zk/ui/http/DHtmlLayoutServlet.java
@@ -168,6 +168,10 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 	 */
 	protected boolean process(Session sess, HttpServletRequest request, HttpServletResponse response, String path,
 			boolean bRichlet) throws ServletException, IOException {
+
+		// Fix Server-Side Request Forgery (SSRF)
+		if (!Https.isValidPath(path)) return false;
+
 		final WebApp wapp = sess.getWebApp();
 		final WebAppCtrl wappc = (WebAppCtrl) wapp;
 		final Configuration config = wapp.getConfiguration();

diff --git a/zk/src/main/java/org/zkoss/zk/ui/http/RichletFilter.java b/zk/src/main/java/org/zkoss/zk/ui/http/RichletFilter.java
@@ -138,6 +138,10 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
 
 	protected boolean process(Session sess, HttpServletRequest request, HttpServletResponse response, String path,
 			boolean bRichlet) throws ServletException, IOException {
+
+		// Fix Server-Side Request Forgery (SSRF)
+		if (!Https.isValidPath(path)) return false;
+
 		final WebApp wapp = sess.getWebApp();
 		final WebAppCtrl wappc = (WebAppCtrl) wapp;
 		final Configuration config = wapp.getConfiguration();

diff --git a/zweb/src/main/java/org/zkoss/web/servlet/http/Https.java b/zweb/src/main/java/org/zkoss/web/servlet/http/Https.java
@@ -22,11 +22,13 @@
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import java.net.URLEncoder;
+import java.nio.file.Paths;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 import java.util.Locale;
 import java.util.Map;
+import java.util.regex.Pattern;
 import java.util.zip.GZIPOutputStream;
 
 import javax.servlet.ServletContext;
@@ -376,6 +378,47 @@ public static final Date toDate(String sdate) throws ParseException {
 		throw ex;
 	}
 
+	private static final String PATH_REGEX = "^(/[-\\w:@&?=+,.!/~*'%$_;\\(\\)]*)?$";
+	private static final Pattern PATH_PATTERN = Pattern.compile(PATH_REGEX);
+
+	/**
+	 * Returns whether the specified path is valid.
+	 * It is valid if it is null, or starts with "/" and doesn't contain "..".
+	 *
+	 * @since 10.0.0
+	 */
+	public static final boolean isValidPath(String path) {
+		if (path == null)
+			return false;
+		path = Paths.get(path).normalize().toString();
+
+		if (!PATH_PATTERN.matcher(path).matches()) {
+			return false;
+		}
+		if (path.startsWith("/../") || path.equals("/..")) {
+			return false;
+		}
+		final int slash2Count = countToken("//", path);
+		if (slash2Count > 0) {
+			return false;
+		}
+
+		return true;
+	}
+
+	private static int countToken(final String token, final String target) {
+		int tokenIndex = 0;
+		int count = 0;
+		while (tokenIndex != -1) {
+			tokenIndex = target.indexOf(token, tokenIndex);
+			if (tokenIndex > -1) {
+				tokenIndex++;
+				count++;
+				}
+			}
+		return count;
+	}
+
 	/**
 	 * Converts a data to a string complaint to HTTP protocol.
 	 */