octoleo
/
plantuml-server
mirror of https://github.com/octoleo/plantuml-server.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Improve proxy management

This commit is contained in:
Arnaud Roques 2022-12-06 18:42:54 +01:00
parent efd53664f2
commit 4d65def8bb
2 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/main/java/net/sourceforge/plantuml/servlet/OldProxyServlet.java
View File

@ -68,6 +68,11 @@ public class OldProxyServlet extends HttpServlet {
String num = proxyMatcher.group(2); // Optional number of the diagram source
String format = proxyMatcher.group(4); // Expected format of the generated diagram
String sourceURL = proxyMatcher.group(5);
if (ProxyServlet.forbiddenURL(sourceURL)) {
response.setStatus(400);
return;
}
handleImageProxy(response, num, format, sourceURL);
}

22
src/main/java/net/sourceforge/plantuml/servlet/ProxyServlet.java
View File

@ -63,12 +63,34 @@ public class ProxyServlet extends HttpServlet {
}
}
public static boolean forbiddenURL(String full) {
if (full.startsWith("https://") == false && full.startsWith("http://") == false) {
return true;
}
if (full.matches("^https?://[-#.0-9:\\[\\]+]+/.*")) {
return true;
}
if (full.matches("^https?://[^.]+/.*")) {
return true;
}
if (full.matches("^https?://[^.]+$")) {
return true;
}
return false;
}
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
final String fmt = request.getParameter("fmt");
final String source = request.getParameter("src");
final String index = request.getParameter("idx");
if (forbiddenURL(source)) {
response.setStatus(400);
return;
}
final URL srcUrl;
// Check if the src URL is valid
try {