-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding domain check to mitigate SSRF attacks. #7
base: main
Are you sure you want to change the base?
Conversation
PasinduYeshan
commented
Aug 11, 2022
•
edited
Loading
edited
- When device information is requested from Entgra if the device is not enrolled it returns 404. That error checking is added to this PR.
- Added domain check before sending HTTP requests.
if (domain != null) { | ||
domainArr = StringUtils.split(domain, DOMAIN_SEPARATOR); | ||
if (domainArr.length != 0) { | ||
parentDomain = domainArr.length == 1 ? domainArr[0] : domainArr[domainArr.length - 2]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Parent domain should be the joined string of the last two elements.
* @param url | ||
* @return validity | ||
*/ | ||
private boolean isValidRequestDomain(URI url) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't there any Framework util method for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I got this from the http conditional auth function. It was implemented as a private method and I didn't find any util method for this.