From 4d65def8bb00315e710b348a5268a3d053ea64fd Mon Sep 17 00:00:00 2001
From: Arnaud Roques <plantuml@gmail.com>
Date: Tue, 6 Dec 2022 18:42:54 +0100
Subject: [PATCH] Improve proxy management

---
 .../plantuml/servlet/OldProxyServlet.java     |  5 +++++
 .../plantuml/servlet/ProxyServlet.java        | 22 +++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/src/main/java/net/sourceforge/plantuml/servlet/OldProxyServlet.java b/src/main/java/net/sourceforge/plantuml/servlet/OldProxyServlet.java
index d3af50a..4bdee14 100644
--- a/src/main/java/net/sourceforge/plantuml/servlet/OldProxyServlet.java
+++ b/src/main/java/net/sourceforge/plantuml/servlet/OldProxyServlet.java
@@ -68,6 +68,11 @@ public class OldProxyServlet extends HttpServlet {
         String num = proxyMatcher.group(2); // Optional number of the diagram source
         String format = proxyMatcher.group(4); // Expected format of the generated diagram
         String sourceURL = proxyMatcher.group(5);
+        if (ProxyServlet.forbiddenURL(sourceURL)) {
+            response.setStatus(400);
+            return;
+        }
+
         handleImageProxy(response, num, format, sourceURL);
     }
 
diff --git a/src/main/java/net/sourceforge/plantuml/servlet/ProxyServlet.java b/src/main/java/net/sourceforge/plantuml/servlet/ProxyServlet.java
index 3adb468..151e35b 100644
--- a/src/main/java/net/sourceforge/plantuml/servlet/ProxyServlet.java
+++ b/src/main/java/net/sourceforge/plantuml/servlet/ProxyServlet.java
@@ -63,12 +63,34 @@ public class ProxyServlet extends HttpServlet {
         }
     }
 
+    public static boolean forbiddenURL(String full) {
+        if (full.startsWith("https://") == false && full.startsWith("http://") == false) {
+            return true;
+        }
+        if (full.matches("^https?://[-#.0-9:\\[\\]+]+/.*")) {
+            return true;
+        }
+        if (full.matches("^https?://[^.]+/.*")) {
+            return true;
+        }
+        if (full.matches("^https?://[^.]+$")) {
+            return true;
+        }
+        return false;
+    }
+
+
     @Override
     public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
 
         final String fmt = request.getParameter("fmt");
         final String source = request.getParameter("src");
         final String index = request.getParameter("idx");
+        if (forbiddenURL(source)) {
+            response.setStatus(400);
+            return;
+        }
+
         final URL srcUrl;
         // Check if the src URL is valid
         try {