From 01c06992ecf5dfb171bab597617c8a89da6c1525 Mon Sep 17 00:00:00 2001 From: ronger Date: Fri, 12 Jan 2024 08:00:01 +0800 Subject: [PATCH] =?UTF-8?q?:bug:=20=E5=A2=9E=E5=8A=A0=E5=AF=B9=E5=BD=93?= =?UTF-8?q?=E5=89=8D=20host=20=E6=98=AF=E5=90=A6=E4=B8=BA=20IPv4=20?= =?UTF-8?q?=E5=92=8C=20IPv6=20=E5=9C=B0=E5=9D=80=E7=9A=84=E5=88=A4?= =?UTF-8?q?=E6=96=AD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/main/java/com/rymcu/forest/util/SSRFUtil.java | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/main/java/com/rymcu/forest/util/SSRFUtil.java b/src/main/java/com/rymcu/forest/util/SSRFUtil.java index 3785bb4..2f7be14 100644 --- a/src/main/java/com/rymcu/forest/util/SSRFUtil.java +++ b/src/main/java/com/rymcu/forest/util/SSRFUtil.java @@ -1,5 +1,6 @@ package com.rymcu.forest.util; +import com.google.common.net.InetAddresses; import com.google.common.net.InternetDomainName; import java.net.MalformedURLException; @@ -22,9 +23,10 @@ public class SSRFUtil { try { // 获取域名,并转为小写 String host = url.getHost().toLowerCase(); - // 禁止内网 IP - if (internalIp(host)) { - return false; + // 判断是不是 IPv4 或 IPv6 + if (InetAddresses.isInetAddress(host)) { + // 禁止内网 IP + return !internalIp(host); } if (checkWhiteList) { // 获取一级域名 @@ -38,7 +40,7 @@ public class SSRFUtil { } public static void main(String[] args) throws MalformedURLException { - URL url = new URL("http://127.0.0.1:8080"); + URL url = new URL("https://rymcu.com"); boolean b = checkUrl(url, false); System.out.println(b); } @@ -50,7 +52,7 @@ public class SSRFUtil { private static boolean internalIp(byte[] addr) { if (Objects.isNull(addr) || addr.length < 2) { - return true; + return false; } final byte b0 = addr[0]; final byte b1 = addr[1];