Skip to content

Commit

Permalink
18.0.3 release
Browse files Browse the repository at this point in the history
  • Loading branch information
@davidjgraph
davidjgraph committed May 13, 2022
1 parent ad77475 commit 283d41e
Showing 1 changed file with 38 additions and 28 deletions.
66 changes: 38 additions & 28 deletions src/main/java/com/mxgraph/online/ProxyServlet.java
View file
Expand Up @@ -15,6 +15,7 @@
import java.net.URL;
import java.net.URLConnection;
import java.net.UnknownHostException;
import java.net.InetAddress;
import java.util.logging.Level;
import java.util.logging.Logger;

Expand Down Expand Up @@ -245,42 +246,51 @@ public boolean checkUrlParameter(String url)
{
URL parsedUrl = new URL(url);
String protocol = parsedUrl.getProtocol();
String host = parsedUrl.getHost().toLowerCase();
String host = parsedUrl.getHost();
InetAddress address = InetAddress.getByName(host);
String hostAddress = address.getHostAddress();
host = host.toLowerCase();

return (protocol.equals("http") || protocol.equals("https"))
&& !host.endsWith(".internal")
&& !host.endsWith(".local")
&& !host.contains("localhost")
&& !host.startsWith("0.") // 0.0.0.0/8
&& !host.startsWith("10.") // 10.0.0.0/8
&& !host.startsWith("127.") // 127.0.0.0/8
&& !host.startsWith("169.254.") // 169.254.0.0/16
&& !host.startsWith("172.16.") // 172.16.0.0/12
&& !host.startsWith("172.17.") // 172.16.0.0/12
&& !host.startsWith("172.18.") // 172.16.0.0/12
&& !host.startsWith("172.19.") // 172.16.0.0/12
&& !host.startsWith("172.20.") // 172.16.0.0/12
&& !host.startsWith("172.21.") // 172.16.0.0/12
&& !host.startsWith("172.22.") // 172.16.0.0/12
&& !host.startsWith("172.23.") // 172.16.0.0/12
&& !host.startsWith("172.24.") // 172.16.0.0/12
&& !host.startsWith("172.25.") // 172.16.0.0/12
&& !host.startsWith("172.26.") // 172.16.0.0/12
&& !host.startsWith("172.27.") // 172.16.0.0/12
&& !host.startsWith("172.28.") // 172.16.0.0/12
&& !host.startsWith("172.29.") // 172.16.0.0/12
&& !host.startsWith("172.30.") // 172.16.0.0/12
&& !host.startsWith("172.31.") // 172.16.0.0/12
&& !host.startsWith("192.0.0.") // 192.0.0.0/24
&& !host.startsWith("192.168.") // 192.168.0.0/16
&& !host.startsWith("198.18.") // 198.18.0.0/15
&& !host.startsWith("198.19.") // 198.18.0.0/15
&& !address.isAnyLocalAddress()
&& !address.isLoopbackAddress()
&& !host.endsWith(".internal") // Redundant
&& !host.endsWith(".local") // Redundant
&& !host.contains("localhost") // Redundant
&& !hostAddress.startsWith("0.") // 0.0.0.0/8
&& !hostAddress.startsWith("10.") // 10.0.0.0/8
&& !hostAddress.startsWith("127.") // 127.0.0.0/8
&& !hostAddress.startsWith("169.254.") // 169.254.0.0/16
&& !hostAddress.startsWith("172.16.") // 172.16.0.0/12
&& !hostAddress.startsWith("172.17.") // 172.16.0.0/12
&& !hostAddress.startsWith("172.18.") // 172.16.0.0/12
&& !hostAddress.startsWith("172.19.") // 172.16.0.0/12
&& !hostAddress.startsWith("172.20.") // 172.16.0.0/12
&& !hostAddress.startsWith("172.21.") // 172.16.0.0/12
&& !hostAddress.startsWith("172.22.") // 172.16.0.0/12
&& !hostAddress.startsWith("172.23.") // 172.16.0.0/12
&& !hostAddress.startsWith("172.24.") // 172.16.0.0/12
&& !hostAddress.startsWith("172.25.") // 172.16.0.0/12
&& !hostAddress.startsWith("172.26.") // 172.16.0.0/12
&& !hostAddress.startsWith("172.27.") // 172.16.0.0/12
&& !hostAddress.startsWith("172.28.") // 172.16.0.0/12
&& !hostAddress.startsWith("172.29.") // 172.16.0.0/12
&& !hostAddress.startsWith("172.30.") // 172.16.0.0/12
&& !hostAddress.startsWith("172.31.") // 172.16.0.0/12
&& !hostAddress.startsWith("192.0.0.") // 192.0.0.0/24
&& !hostAddress.startsWith("192.168.") // 192.168.0.0/16
&& !hostAddress.startsWith("198.18.") // 198.18.0.0/15
&& !hostAddress.startsWith("198.19.") // 198.18.0.0/15
&& !host.endsWith(".arpa"); // reverse domain (needed?)
}
catch (MalformedURLException e)
{
return false;
}
catch (UnknownHostException e)
{
return false;
}
}
else
{
Expand Down

0 comments on commit 283d41e

Please sign in to comment.