资源注入、服务器端请求伪造

servers/boe-server-all/src/main/java/com/xboe/system/api/SysUploaderApi.java

@@ -16,6 +16,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
@@ -43,6 +44,9 @@ public class SysUploaderApi  extends ApiBaseController{
 	
 	@Autowired
 	XFileUploader uploader;
+
+	@Value(value = "${boe.domain}")
+	String domain;
 	
 	private static Set<String> fileTypeSet=new HashSet<>();
 	static {
@@ -149,7 +153,8 @@ public class SysUploaderApi  extends ApiBaseController{
 	@RequestMapping(value = "/url/download", method = RequestMethod.GET)
     public void urlDownload(HttpServletResponse res,String urlStr,String fileName) throws IOException {
 
-		URL url = new URL(urlStr);    
+		URL url = new URL(urlStr);
+		downloadLimitation(url);
         HttpURLConnection conn = (HttpURLConnection)url.openConnection();    
                 //设置超时间为3秒  
         conn.setConnectTimeout(3*1000);  
@@ -193,4 +198,19 @@ public class SysUploaderApi  extends ApiBaseController{
 		  //System.out.println("success");
     }
 
+	private void downloadLimitation(URL url) {
+		String allowedDomain = domain;
+		String allowedPathPrefix = "/upload/xfile/";
+
+		// 检查域名是否正确
+		if (!url.getHost().equals(allowedDomain)) {
+			throw new SecurityException("Download from this domain is not allowed.");
+		}
+
+		// 检查路径是否以允许的路径前缀开始
+		if (!url.getPath().startsWith(allowedPathPrefix)) {
+			throw new SecurityException("Download from this path is not allowed.");
+		}
+	}
+
 }