Fix code scanning alert no. 2: Server-side request forgery (#97)

* Fix code scanning alert no. 2: Server-side request forgery Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * #77 Update GitClient.java & tests --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
conorheffron · Sep 27, 2024 · d75edae · d75edae
1 parent 54c4856
commit d75edae
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/src/main/java/com/ironoc/portfolio/client/GitClient.java b/src/main/java/com/ironoc/portfolio/client/GitClient.java
@@ -34,7 +34,10 @@ public GitClient(PropertyConfigI propertyConfig,
 
     @Override
     public HttpsURLConnection createConn(String url) throws IOException {
-        if (!urlUtils.isValidURL(url)) {
+        String baseUrl = propertyConfig.getGitApiEndpoint();
+        URL urlBase = new URL(baseUrl);
+        String base = urlBase.getProtocol() + "://" + urlBase.getHost();
+        if (!urlUtils.isValidURL(url) || !url.startsWith(base)) {
             log.error("The url is not valid for GIT client connection, url={}", url);
             return null;
         }

diff --git a/src/test/java/com/ironoc/portfolio/client/GitClientTest.java b/src/test/java/com/ironoc/portfolio/client/GitClientTest.java
@@ -42,7 +42,7 @@ public class GitClientTest {
     @Mock
     private InputStream inputStreamMock;
 
-    private static final String TEST_URL = "https://cloud-conor.com";
+    private static final String TEST_URL = "https://unittest.github.com/users/conorheffron/repos";
 
     @Test
     public void test_readInputStream_fail() throws IOException {
@@ -79,13 +79,15 @@ public void test_close_success() throws IOException {
     @Test
     public void test_createConn_without_token_success() throws IOException {
         // given
+        when(propertyConfigMock.getGitApiEndpoint()).thenReturn(TEST_URL);
         when(urlUtilsMock.isValidURL(TEST_URL)).thenReturn(true);
 
         // when
         HttpsURLConnection result = gitClient.createConn(TEST_URL);
 
         // then
         verify(urlUtilsMock).isValidURL(TEST_URL);
+        verify(propertyConfigMock).getGitApiEndpoint();
         verify(propertyConfigMock).getGitFollowRedirects();
         verify(propertyConfigMock).getGitTimeoutConnect();
         verify(propertyConfigMock).getGitTimeoutRead();
@@ -98,6 +100,7 @@ public void test_createConn_without_token_success() throws IOException {
     @Test
     public void test_createConn_with_token_success() throws IOException {
         // given
+        when(propertyConfigMock.getGitApiEndpoint()).thenReturn(TEST_URL);
         when(urlUtilsMock.isValidURL(TEST_URL)).thenReturn(true);
         when(secretManagerMock.getGitSecret()).thenReturn("test_fake_token");
 
@@ -106,6 +109,7 @@ public void test_createConn_with_token_success() throws IOException {
 
         // then
         verify(urlUtilsMock).isValidURL(TEST_URL);
+        verify(propertyConfigMock).getGitApiEndpoint();
         verify(propertyConfigMock).getGitFollowRedirects();
         verify(propertyConfigMock).getGitTimeoutConnect();
         verify(propertyConfigMock).getGitTimeoutRead();
@@ -118,13 +122,15 @@ public void test_createConn_with_token_success() throws IOException {
     @Test
     public void test_createConn_invalid_url_fail() throws IOException {
         // given
+        when(propertyConfigMock.getGitApiEndpoint()).thenReturn(TEST_URL);
         when(urlUtilsMock.isValidURL(TEST_URL)).thenReturn(false);
 
         // when
         HttpsURLConnection result = gitClient.createConn(TEST_URL);
 
         // then
         verify(urlUtilsMock).isValidURL(TEST_URL);
+        verify(propertyConfigMock).getGitApiEndpoint();
         verify(propertyConfigMock, never()).getGitFollowRedirects();
         verify(propertyConfigMock, never()).getGitTimeoutConnect();
         verify(propertyConfigMock, never()).getGitTimeoutRead();