isky/backend-springboot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added url encoding check and fix javascript check for false positive

Browse Source
This commit is contained in:
heyethereum
2024-08-06 08:00:03 +08:00
parent 02085b50b9
commit 3eb53c6ccd
2 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/main/java/com/safeqr/app/qrcode/service/URLVerificationService.java
View File

@@ -14,6 +14,7 @@ import org.springframework.stereotype.Service;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLHandshakeException;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.*;
import java.nio.charset.StandardCharsets;
import java.util.*;
@@ -93,6 +94,9 @@ public class URLVerificationService {
// Check for tracking parameters
urlObj.setTrackingDescriptions(getTrackingDescriptions(url.getQuery()));
// Check for URL encoding
urlObj.setUrlEncoding(checkURLEncoding(url.getPath()));
} catch (Exception e) {
logger.error("Error in breaking down URL: {}", e.getMessage());
}
@@ -171,7 +175,7 @@ public class URLVerificationService {
List<Pattern> maliciousPatterns = Arrays.asList(
Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
Pattern.compile("<\\s*script", Pattern.CASE_INSENSITIVE),
Pattern.compile("on\\w*\\s*=", Pattern.CASE_INSENSITIVE)
Pattern.compile("on(click|mouseover|load|error|unload|submit|reset|focus|blur|change|select|keydown|keyup|keypress|mousedown|mousemove|mouseup|mouseenter|mouseleave|contextmenu|dblclick)\\s*=", Pattern.CASE_INSENSITIVE)
);
// Check for any malicious pattern in the URL
@@ -191,6 +195,15 @@ public class URLVerificationService {
return matcher.find() ? "Yes" : "";
}
// Function to check text encoding in a URL
private static String checkURLEncoding(String pathTextPart) throws UnsupportedEncodingException {
// Decode the text
String decodedText = URLDecoder.decode(pathTextPart, StandardCharsets.UTF_8.name());
// Check if the decoded text matches the original text
return decodedText.equals(pathTextPart) ? "" : "Yes";
}
// Function to detect if the URL has an IP address
private static String hasIPAddress(String url) {
Pattern pattern = Pattern.compile(IP_PATTERN, Pattern.CASE_INSENSITIVE);