From d75edae214312c16f22441264fe3dc5103f3028a Mon Sep 17 00:00:00 2001
From: Conor Heffron <conor.heffron@gmail.com>
Date: Fri, 27 Sep 2024 01:11:21 +0100
Subject: [PATCH] Fix code scanning alert no. 2: Server-side request forgery
 (#97)

* Fix code scanning alert no. 2: Server-side request forgery

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* #77 Update GitClient.java & tests

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/main/java/com/ironoc/portfolio/client/GitClient.java  | 5 ++++-
 .../java/com/ironoc/portfolio/client/GitClientTest.java   | 8 +++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/ironoc/portfolio/client/GitClient.java b/src/main/java/com/ironoc/portfolio/client/GitClient.java
index b3de74c..83a187f 100644
--- a/src/main/java/com/ironoc/portfolio/client/GitClient.java
+++ b/src/main/java/com/ironoc/portfolio/client/GitClient.java
@@ -34,7 +34,10 @@ public GitClient(PropertyConfigI propertyConfig,
 
     @Override
     public HttpsURLConnection createConn(String url) throws IOException {
-        if (!urlUtils.isValidURL(url)) {
+        String baseUrl = propertyConfig.getGitApiEndpoint();
+        URL urlBase = new URL(baseUrl);
+        String base = urlBase.getProtocol() + "://" + urlBase.getHost();
+        if (!urlUtils.isValidURL(url) || !url.startsWith(base)) {
             log.error("The url is not valid for GIT client connection, url={}", url);
             return null;
         }
diff --git a/src/test/java/com/ironoc/portfolio/client/GitClientTest.java b/src/test/java/com/ironoc/portfolio/client/GitClientTest.java
index 4c36b29..af638ed 100644
--- a/src/test/java/com/ironoc/portfolio/client/GitClientTest.java
+++ b/src/test/java/com/ironoc/portfolio/client/GitClientTest.java
@@ -42,7 +42,7 @@ public class GitClientTest {
     @Mock
     private InputStream inputStreamMock;
 
-    private static final String TEST_URL = "https://cloud-conor.com";
+    private static final String TEST_URL = "https://unittest.github.com/users/conorheffron/repos";
 
     @Test
     public void test_readInputStream_fail() throws IOException {
@@ -79,6 +79,7 @@ public void test_close_success() throws IOException {
     @Test
     public void test_createConn_without_token_success() throws IOException {
         // given
+        when(propertyConfigMock.getGitApiEndpoint()).thenReturn(TEST_URL);
         when(urlUtilsMock.isValidURL(TEST_URL)).thenReturn(true);
 
         // when
@@ -86,6 +87,7 @@ public void test_createConn_without_token_success() throws IOException {
 
         // then
         verify(urlUtilsMock).isValidURL(TEST_URL);
+        verify(propertyConfigMock).getGitApiEndpoint();
         verify(propertyConfigMock).getGitFollowRedirects();
         verify(propertyConfigMock).getGitTimeoutConnect();
         verify(propertyConfigMock).getGitTimeoutRead();
@@ -98,6 +100,7 @@ public void test_createConn_without_token_success() throws IOException {
     @Test
     public void test_createConn_with_token_success() throws IOException {
         // given
+        when(propertyConfigMock.getGitApiEndpoint()).thenReturn(TEST_URL);
         when(urlUtilsMock.isValidURL(TEST_URL)).thenReturn(true);
         when(secretManagerMock.getGitSecret()).thenReturn("test_fake_token");
 
@@ -106,6 +109,7 @@ public void test_createConn_with_token_success() throws IOException {
 
         // then
         verify(urlUtilsMock).isValidURL(TEST_URL);
+        verify(propertyConfigMock).getGitApiEndpoint();
         verify(propertyConfigMock).getGitFollowRedirects();
         verify(propertyConfigMock).getGitTimeoutConnect();
         verify(propertyConfigMock).getGitTimeoutRead();
@@ -118,6 +122,7 @@ public void test_createConn_with_token_success() throws IOException {
     @Test
     public void test_createConn_invalid_url_fail() throws IOException {
         // given
+        when(propertyConfigMock.getGitApiEndpoint()).thenReturn(TEST_URL);
         when(urlUtilsMock.isValidURL(TEST_URL)).thenReturn(false);
 
         // when
@@ -125,6 +130,7 @@ public void test_createConn_invalid_url_fail() throws IOException {
 
         // then
         verify(urlUtilsMock).isValidURL(TEST_URL);
+        verify(propertyConfigMock).getGitApiEndpoint();
         verify(propertyConfigMock, never()).getGitFollowRedirects();
         verify(propertyConfigMock, never()).getGitTimeoutConnect();
         verify(propertyConfigMock, never()).getGitTimeoutRead();