CVE-2022-1723: 18.0.6 release · jgraph/drawio@7a68ebe

@@ -11,11 +11,9 @@ import java.io.InputStream; import java.io.OutputStream; import java.net.HttpURLConnection; import java.net.MalformedURLException; import java.net.URL; import java.net.URLConnection; import java.net.UnknownHostException; import java.net.InetAddress; import java.util.logging.Level; import java.util.logging.Logger;
@@ -68,7 +66,7 @@ protected void doGet(HttpServletRequest request, { String urlParam = request.getParameter(“url”);
if (checkUrlParameter(urlParam)) if (Utils.sanitizeUrl(urlParam)) { // build the UML source from the compressed request parameter String ref = request.getHeader(“referer”); @@ -118,7 +116,7 @@ protected void doGet(HttpServletRequest request, { String redirectUrl = connection.getHeaderField(“Location”);
if (!checkUrlParameter(redirectUrl)) if (!Utils.sanitizeUrl(redirectUrl)) { break; } @@ -235,72 +233,6 @@ protected void copyResponse(InputStream is, OutputStream out, byte[] head, } }
/** * Checks if the URL parameter is legal. */ public boolean checkUrlParameter(String url) { if (url != null) { try { URL parsedUrl = new URL(url); String protocol = parsedUrl.getProtocol(); String host = parsedUrl.getHost(); InetAddress address = InetAddress.getByName(host); String hostAddress = address.getHostAddress(); host = host.toLowerCase();
return (protocol.equals(“http”) || protocol.equals(“https”)) && !address.isAnyLocalAddress() && !address.isLoopbackAddress() && !address.isLinkLocalAddress() && !host.endsWith(“.internal”) // Redundant && !host.endsWith(“.local”) // Redundant && !host.contains(“localhost”) // Redundant && !hostAddress.startsWith(“0.”) // 0.0.0.0/8 && !hostAddress.startsWith(“10.”) // 10.0.0.0/8 && !hostAddress.startsWith(“127.”) // 127.0.0.0/8 && !hostAddress.startsWith(“169.254.”) // 169.254.0.0/16 && !hostAddress.startsWith(“172.16.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.17.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.18.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.19.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.20.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.21.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.22.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.23.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.24.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.25.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.26.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.27.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.28.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.29.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.30.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.31.”) // 172.16.0.0/12 && !hostAddress.startsWith(“192.0.0.”) // 192.0.0.0/24 && !hostAddress.startsWith(“192.168.”) // 192.168.0.0/16 && !hostAddress.startsWith(“198.18.”) // 198.18.0.0/15 && !hostAddress.startsWith(“198.19.”) // 198.18.0.0/15 && !hostAddress.startsWith(“fc00::”) // fc00::/7 https://stackoverflow.com/questions/53764109/is-there-a-java-api-that-will-identify-the-ipv6-address-fd00-as-local-private && !hostAddress.startsWith(“fd00::”) // fd00::/8 && !host.endsWith(“.arpa”); // reverse domain (needed?) } catch (MalformedURLException e) { return false; } catch (UnknownHostException e) { return false; } } else { return false; } }
/** * Returns true if the content check should be omitted. */