From d75edae214312c16f22441264fe3dc5103f3028a Mon Sep 17 00:00:00 2001 From: Conor Heffron <conor.heffron@gmail.com> Date: Fri, 27 Sep 2024 01:11:21 +0100 Subject: [PATCH] Fix code scanning alert no. 2: Server-side request forgery (#97) * Fix code scanning alert no. 2: Server-side request forgery Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * #77 Update GitClient.java & tests --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- src/main/java/com/ironoc/portfolio/client/GitClient.java | 5 ++++- .../java/com/ironoc/portfolio/client/GitClientTest.java | 8 +++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/main/java/com/ironoc/portfolio/client/GitClient.java b/src/main/java/com/ironoc/portfolio/client/GitClient.java index b3de74c..83a187f 100644 --- a/src/main/java/com/ironoc/portfolio/client/GitClient.java +++ b/src/main/java/com/ironoc/portfolio/client/GitClient.java @@ -34,7 +34,10 @@ public GitClient(PropertyConfigI propertyConfig, @Override public HttpsURLConnection createConn(String url) throws IOException { - if (!urlUtils.isValidURL(url)) { + String baseUrl = propertyConfig.getGitApiEndpoint(); + URL urlBase = new URL(baseUrl); + String base = urlBase.getProtocol() + "://" + urlBase.getHost(); + if (!urlUtils.isValidURL(url) || !url.startsWith(base)) { log.error("The url is not valid for GIT client connection, url={}", url); return null; } diff --git a/src/test/java/com/ironoc/portfolio/client/GitClientTest.java b/src/test/java/com/ironoc/portfolio/client/GitClientTest.java index 4c36b29..af638ed 100644 --- a/src/test/java/com/ironoc/portfolio/client/GitClientTest.java +++ b/src/test/java/com/ironoc/portfolio/client/GitClientTest.java @@ -42,7 +42,7 @@ public class GitClientTest { @Mock private InputStream inputStreamMock; - private static final String TEST_URL = "https://cloud-conor.com"; + private static final String TEST_URL = "https://unittest.github.com/users/conorheffron/repos"; @Test public void test_readInputStream_fail() throws IOException { @@ -79,6 +79,7 @@ public void test_close_success() throws IOException { @Test public void test_createConn_without_token_success() throws IOException { // given + when(propertyConfigMock.getGitApiEndpoint()).thenReturn(TEST_URL); when(urlUtilsMock.isValidURL(TEST_URL)).thenReturn(true); // when @@ -86,6 +87,7 @@ public void test_createConn_without_token_success() throws IOException { // then verify(urlUtilsMock).isValidURL(TEST_URL); + verify(propertyConfigMock).getGitApiEndpoint(); verify(propertyConfigMock).getGitFollowRedirects(); verify(propertyConfigMock).getGitTimeoutConnect(); verify(propertyConfigMock).getGitTimeoutRead(); @@ -98,6 +100,7 @@ public void test_createConn_without_token_success() throws IOException { @Test public void test_createConn_with_token_success() throws IOException { // given + when(propertyConfigMock.getGitApiEndpoint()).thenReturn(TEST_URL); when(urlUtilsMock.isValidURL(TEST_URL)).thenReturn(true); when(secretManagerMock.getGitSecret()).thenReturn("test_fake_token"); @@ -106,6 +109,7 @@ public void test_createConn_with_token_success() throws IOException { // then verify(urlUtilsMock).isValidURL(TEST_URL); + verify(propertyConfigMock).getGitApiEndpoint(); verify(propertyConfigMock).getGitFollowRedirects(); verify(propertyConfigMock).getGitTimeoutConnect(); verify(propertyConfigMock).getGitTimeoutRead(); @@ -118,6 +122,7 @@ public void test_createConn_with_token_success() throws IOException { @Test public void test_createConn_invalid_url_fail() throws IOException { // given + when(propertyConfigMock.getGitApiEndpoint()).thenReturn(TEST_URL); when(urlUtilsMock.isValidURL(TEST_URL)).thenReturn(false); // when @@ -125,6 +130,7 @@ public void test_createConn_invalid_url_fail() throws IOException { // then verify(urlUtilsMock).isValidURL(TEST_URL); + verify(propertyConfigMock).getGitApiEndpoint(); verify(propertyConfigMock, never()).getGitFollowRedirects(); verify(propertyConfigMock, never()).getGitTimeoutConnect(); verify(propertyConfigMock, never()).getGitTimeoutRead();