From 3eb53c6ccd34c1665e4c638e5ddf9eb3bb461331 Mon Sep 17 00:00:00 2001
From: heyethereum <heyethereum@gmail.com>
Date: Tue, 6 Aug 2024 08:00:03 +0800
Subject: [PATCH] added url encoding check and fix javascript check for false
 positive

---
 .../com/safeqr/app/qrcode/entity/URLEntity.java   |  3 +++
 .../qrcode/service/URLVerificationService.java    | 15 ++++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/main/java/com/safeqr/app/qrcode/entity/URLEntity.java b/src/main/java/com/safeqr/app/qrcode/entity/URLEntity.java
index df7192d..9c64dcb 100644
--- a/src/main/java/com/safeqr/app/qrcode/entity/URLEntity.java
+++ b/src/main/java/com/safeqr/app/qrcode/entity/URLEntity.java
@@ -76,6 +76,9 @@ public class URLEntity {
     @Column(name = "tracking_descriptions", columnDefinition = "text[]")
     private List<String> trackingDescriptions = new ArrayList<>();
 
+    @Column(name = "url_encoding")
+    private String urlEncoding = "";
+
     @Column(name = "dns_error")
     private String dnsError = "";
 
diff --git a/src/main/java/com/safeqr/app/qrcode/service/URLVerificationService.java b/src/main/java/com/safeqr/app/qrcode/service/URLVerificationService.java
index 5650a9f..9ad3dab 100644
--- a/src/main/java/com/safeqr/app/qrcode/service/URLVerificationService.java
+++ b/src/main/java/com/safeqr/app/qrcode/service/URLVerificationService.java
@@ -14,6 +14,7 @@ import org.springframework.stereotype.Service;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLHandshakeException;
 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
 import java.net.*;
 import java.nio.charset.StandardCharsets;
 import java.util.*;
@@ -93,6 +94,9 @@ public class URLVerificationService {
 
             // Check for tracking parameters
             urlObj.setTrackingDescriptions(getTrackingDescriptions(url.getQuery()));
+
+            // Check for URL encoding
+            urlObj.setUrlEncoding(checkURLEncoding(url.getPath()));
         } catch (Exception e) {
             logger.error("Error in breaking down URL: {}", e.getMessage());
         }
@@ -171,7 +175,7 @@ public class URLVerificationService {
         List<Pattern> maliciousPatterns = Arrays.asList(
                 Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
                 Pattern.compile("<\\s*script", Pattern.CASE_INSENSITIVE),
-                Pattern.compile("on\\w*\\s*=", Pattern.CASE_INSENSITIVE)
+                Pattern.compile("on(click|mouseover|load|error|unload|submit|reset|focus|blur|change|select|keydown|keyup|keypress|mousedown|mousemove|mouseup|mouseenter|mouseleave|contextmenu|dblclick)\\s*=", Pattern.CASE_INSENSITIVE)
         );
 
         // Check for any malicious pattern in the URL
@@ -191,6 +195,15 @@ public class URLVerificationService {
         return matcher.find() ? "Yes" : "";
     }
 
+    // Function to check text encoding in a URL
+    private static String checkURLEncoding(String pathTextPart) throws UnsupportedEncodingException {
+        // Decode the text
+        String decodedText = URLDecoder.decode(pathTextPart, StandardCharsets.UTF_8.name());
+
+        // Check if the decoded text matches the original text
+        return decodedText.equals(pathTextPart) ? "" : "Yes";
+    }
+
     // Function to detect if the URL has an IP address
     private static String hasIPAddress(String url) {
         Pattern pattern = Pattern.compile(IP_PATTERN, Pattern.CASE_INSENSITIVE);