isky/backend-springboot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added url encoding check and fix javascript check for false positive

Browse Source
This commit is contained in:
heyethereum
2024-08-06 08:00:03 +08:00
parent 02085b50b9
commit 3eb53c6ccd
2 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/main/java/com/safeqr/app/qrcode/entity/URLEntity.java
View File

@@ -76,6 +76,9 @@ public class URLEntity {
@Column(name = "tracking_descriptions", columnDefinition = "text[]") @Column(name = "tracking_descriptions", columnDefinition = "text[]")
private List<String> trackingDescriptions = new ArrayList<>(); private List<String> trackingDescriptions = new ArrayList<>();
@Column(name = "url_encoding")
private String urlEncoding = "";
@Column(name = "dns_error") @Column(name = "dns_error")
private String dnsError = ""; private String dnsError = "";

15
src/main/java/com/safeqr/app/qrcode/service/URLVerificationService.java
View File

@@ -14,6 +14,7 @@ import org.springframework.stereotype.Service;
import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLHandshakeException; import javax.net.ssl.SSLHandshakeException;
import java.io.IOException; import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.*; import java.net.*;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.util.*; import java.util.*;
@@ -93,6 +94,9 @@ public class URLVerificationService {
// Check for tracking parameters // Check for tracking parameters
urlObj.setTrackingDescriptions(getTrackingDescriptions(url.getQuery())); urlObj.setTrackingDescriptions(getTrackingDescriptions(url.getQuery()));
// Check for URL encoding
urlObj.setUrlEncoding(checkURLEncoding(url.getPath()));
} catch (Exception e) { } catch (Exception e) {
logger.error("Error in breaking down URL: {}", e.getMessage()); logger.error("Error in breaking down URL: {}", e.getMessage());
} }
@@ -171,7 +175,7 @@ public class URLVerificationService {
List<Pattern> maliciousPatterns = Arrays.asList( List<Pattern> maliciousPatterns = Arrays.asList(
Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE), Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
Pattern.compile("<\\s*script", Pattern.CASE_INSENSITIVE), Pattern.compile("<\\s*script", Pattern.CASE_INSENSITIVE),
Pattern.compile("on\\w*\\s*=", Pattern.CASE_INSENSITIVE) Pattern.compile("on(click|mouseover|load|error|unload|submit|reset|focus|blur|change|select|keydown|keyup|keypress|mousedown|mousemove|mouseup|mouseenter|mouseleave|contextmenu|dblclick)\\s*=", Pattern.CASE_INSENSITIVE)
); );
// Check for any malicious pattern in the URL // Check for any malicious pattern in the URL
@@ -191,6 +195,15 @@ public class URLVerificationService {
return matcher.find() ? "Yes" : ""; return matcher.find() ? "Yes" : "";
} }
// Function to check text encoding in a URL
private static String checkURLEncoding(String pathTextPart) throws UnsupportedEncodingException {
// Decode the text
String decodedText = URLDecoder.decode(pathTextPart, StandardCharsets.UTF_8.name());
// Check if the decoded text matches the original text
return decodedText.equals(pathTextPart) ? "" : "Yes";
}
// Function to detect if the URL has an IP address // Function to detect if the URL has an IP address
private static String hasIPAddress(String url) { private static String hasIPAddress(String url) {
Pattern pattern = Pattern.compile(IP_PATTERN, Pattern.CASE_INSENSITIVE); Pattern pattern = Pattern.compile(IP_PATTERN, Pattern.CASE_INSENSITIVE);