2022-09-01 17:36:53 +02:00
|
|
|
=== How to fix it in Java SE
|
|
|
|
|
|
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
|
|
2022-10-18 16:03:10 +02:00
|
|
|
==== Noncompliant code example
|
2022-09-15 10:28:08 +02:00
|
|
|
|
|
|
|
|
[source,java,diff-id=1,diff-type=noncompliant]
|
2022-09-01 17:36:53 +02:00
|
|
|
----
|
|
|
|
|
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
|
|
|
|
|
String location = req.getParameter("url");
|
|
|
|
|
|
|
|
|
|
URL url = new URL(location);
|
|
|
|
|
|
2022-09-15 10:28:08 +02:00
|
|
|
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
|
2022-09-01 17:36:53 +02:00
|
|
|
}
|
|
|
|
|
----
|
2022-09-15 10:28:08 +02:00
|
|
|
|
|
|
|
|
==== Compliant solution
|
|
|
|
|
|
|
|
|
|
[source,java,diff-id=1,diff-type=compliant]
|
2022-09-01 17:36:53 +02:00
|
|
|
----
|
|
|
|
|
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
|
|
|
|
|
String location = req.getParameter("url");
|
|
|
|
|
|
|
|
|
|
List<String> allowedHosts = new ArrayList<String>();
|
|
|
|
|
allowedHosts.add("https://trusted1.example.com/");
|
|
|
|
|
allowedHosts.add("https://trusted2.example.com/");
|
|
|
|
|
|
|
|
|
|
URL url = new URL(location);
|
|
|
|
|
|
|
|
|
|
if (allowedHosts.contains(location))
|
|
|
|
|
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
2022-09-15 10:28:08 +02:00
|
|
|
include::../../common/fix/how-does-this-work.adoc[]
|
2022-09-15 14:25:49 +02:00
|
|
|
|
2022-11-23 17:38:23 +01:00
|
|
|
The compliant code example uses such an approach.
|
|
|
|
|
|
2022-09-15 14:25:49 +02:00
|
|
|
=== Pitfalls
|
|
|
|
|
|
|
|
|
|
include::../../common/pitfalls/starts-with.adoc[]
|
|
|
|
|
|
|
|
|
|
|
