Skip to content

Commit

Permalink
fixed possible SSRF
Browse files Browse the repository at this point in the history
  • Loading branch information
@albogdano
albogdano committed Jul 7, 2021
1 parent e230485 commit cfd6405
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion src/main/java/com/erudika/scoold/utils/HttpUtils.java
View file
Expand Up @@ -200,7 +200,9 @@ public static String getCookieValue(HttpServletRequest req, String name) {
* @return the content of the image or null
*/
public static void getAvatar(String url, HttpServletResponse res) {
if (StringUtils.isBlank(url)) {
if (StringUtils.isBlank(url) || !StringUtils.startsWithIgnoreCase(url, "https://") ||
StringUtils.containsAnyIgnoreCase(url, "localhost", "127.0.0.1", "0177.0.0.1", "0x7f.0.0.1", "0x7f000001",
"2130706433", "017700000001", "127.0.1", "127.1")) {
getDefaultAvatarImage(res);
return;
}
Expand Down

0 comments on commit cfd6405

Please sign in to comment.