isky/backend-springboot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hide empty values in dto and edited check endcoded url for false positive

Browse Source
This commit is contained in:
ltiongku
2024-08-06 20:21:47 +08:00
parent 3eb53c6ccd
commit 529d27d07c
2 changed files with 51 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
src/main/java/com/safeqr/app/qrcode/entity/URLEntity.java
View File

@@ -1,6 +1,7 @@
package com.safeqr.app.qrcode.entity;
import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.annotation.JsonProperty;
import io.hypersistence.utils.hibernate.type.array.ListArrayType;
import jakarta.persistence.*;
@@ -35,53 +36,82 @@ public class URLEntity {
private String domain;
@JsonInclude(JsonInclude.Include.NON_EMPTY)
private String subdomain;
private String topLevelDomain;
private String path;
@JsonProperty
private String query;
@JsonInclude(JsonInclude.Include.NON_EMPTY)
private String fragment;
private int redirect = 0;
@JsonInclude(JsonInclude.Include.NON_EMPTY)
@Type(ListArrayType.class)
@Column(name = "hsts_header", columnDefinition = "text[]")
private List<String> hstsHeader = new ArrayList<>();
@JsonInclude(JsonInclude.Include.NON_EMPTY)
@Type(ListArrayType.class)
@Column(name = "ssl_stripping", columnDefinition = "boolean[]")
private List<Boolean> sslStripping = new ArrayList<>();
@JsonInclude(JsonInclude.Include.NON_EMPTY)
@Type(ListArrayType.class)
@Column(name = "redirect_chain", columnDefinition = "text[]")
private List<String> redirectChain = new ArrayList<>();
@Column(name = "hostname_embedding")
private int hostnameEmbedding = 0;
private Integer hostnameEmbedding = 0;
@JsonInclude(JsonInclude.Include.NON_EMPTY)
@Column(name = "javascript_check")
private String javascriptCheck = "";
@JsonInclude(JsonInclude.Include.NON_EMPTY)
@Column(name = "shortening_service")
private String shorteningService = "";
@JsonInclude(JsonInclude.Include.NON_EMPTY)
@Column(name = "has_ip_address")
private String hasIpAddress = "";
@JsonInclude(JsonInclude.Include.NON_EMPTY)
@Type(ListArrayType.class)
@Column(name = "tracking_descriptions", columnDefinition = "text[]")
private List<String> trackingDescriptions = new ArrayList<>();
@JsonInclude(JsonInclude.Include.NON_EMPTY)
@Column(name = "url_encoding")
private String urlEncoding = "";
@JsonInclude(JsonInclude.Include.NON_EMPTY)
@Column(name = "dns_error")
private String dnsError = "";
@JsonInclude(JsonInclude.Include.NON_EMPTY)
@Column(name="ssl_error")
private String sslError = "";
// Custom getter for hostnameEmbedding
@JsonInclude(JsonInclude.Include.NON_NULL)
public Integer getHostnameEmbedding() {
return hostnameEmbedding == 0 ? null : hostnameEmbedding;
}
// Custom getter for path
@JsonInclude(JsonInclude.Include.NON_NULL)
public String getPath() {
return path.isEmpty() ? null : path;
}
// Custom getter for query
@JsonInclude(JsonInclude.Include.NON_NULL)
@JsonProperty
public String getQuery() {
return query.equals("{}") ? null : query;
}
}

27
src/main/java/com/safeqr/app/qrcode/service/URLVerificationService.java
View File

@@ -71,7 +71,8 @@ public class URLVerificationService {
public URLEntity breakdownURL(String urlString) {
URLEntity urlObj = new URLEntity();
try {
URL url = new URI(encodeUrl(urlString)).toURL();
//URL url = new URI(encodeUrl(urlString)).toURL();
URL url = new URI(urlString).toURL();
String host = url.getHost();
// Check for deceptive URL
@@ -88,15 +89,22 @@ public class URLVerificationService {
populateHostDetails(host, urlObj);
urlObj.setPath(Optional.ofNullable(url.getPath()).filter(p -> !p.isEmpty()).orElse("/"));
urlObj.setQuery(parseQueryParams(url.getQuery()));
urlObj.setPath(Optional.ofNullable(url.getPath()).filter(p -> !p.isEmpty()).orElse(""));
String query = parseQueryParams(url.getQuery());
urlObj.setQuery(query);
urlObj.setFragment(Optional.ofNullable(url.getRef()).orElse(""));
// Check for tracking parameters
urlObj.setTrackingDescriptions(getTrackingDescriptions(url.getQuery()));
// Check for URL encoding
urlObj.setUrlEncoding(checkURLEncoding(url.getPath()));
// Check for URL encoding in path and query
String pathEncoding = checkURLEncoding(url.getPath());
String queryEncoding = query != null ? checkURLEncoding(query) : "";
// Combine encoding results
urlObj.setUrlEncoding(pathEncoding.equals("Yes") || queryEncoding.equals("Yes") ? "Yes" : "");
} catch (Exception e) {
logger.error("Error in breaking down URL: {}", e.getMessage());
}
@@ -171,6 +179,9 @@ public class URLVerificationService {
}
private String checkForJavascriptCode(String url) {
// Decode the URL
String decodedUrl = URLDecoder.decode(url, StandardCharsets.UTF_8);
// Patterns to detect 'javascript:', '<script>', and 'on*=' attributes
List<Pattern> maliciousPatterns = Arrays.asList(
Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
@@ -180,7 +191,7 @@ public class URLVerificationService {
// Check for any malicious pattern in the URL
for (Pattern pattern : maliciousPatterns) {
Matcher matcher = pattern.matcher(url);
Matcher matcher = pattern.matcher(decodedUrl);
if (matcher.find()) {
return "Javascript found in URL.";
}
@@ -196,9 +207,9 @@ public class URLVerificationService {
}
// Function to check text encoding in a URL
private static String checkURLEncoding(String pathTextPart) throws UnsupportedEncodingException {
private static String checkURLEncoding(String pathTextPart) {
// Decode the text
String decodedText = URLDecoder.decode(pathTextPart, StandardCharsets.UTF_8.name());
String decodedText = URLDecoder.decode(pathTextPart, StandardCharsets.UTF_8);
// Check if the decoded text matches the original text
return decodedText.equals(pathTextPart) ? "" : "Yes";