Added initial url validation check to presentation upload

2023-04-19 21:03:52 +00:00 · 2023-04-19 21:03:52 +00:00 · 68a0623f6c
commit 68a0623f6c
parent 9b49ab681e
2 changed files with 27 additions and 1 deletions
--- a/bbb-common-web/build.sbt
+++ b/bbb-common-web/build.sbt
@ -109,5 +109,6 @@ libraryDependencies ++= Seq(
  "org.postgresql" % "postgresql" % "42.4.3",
  "org.hibernate" % "hibernate-core" % "5.6.1.Final",
  "org.flywaydb" % "flyway-core" % "7.8.2",
-  "com.zaxxer" % "HikariCP" % "4.0.3"
+  "com.zaxxer" % "HikariCP" % "4.0.3",
+  "commons-validator" % "commons-validator" % "1.7"
 )
--- a/bbb-common-web/src/main/java/org/bigbluebutton/presentation/PresentationUrlDownloadService.java
+++ b/bbb-common-web/src/main/java/org/bigbluebutton/presentation/PresentationUrlDownloadService.java
@ -4,6 +4,7 @@ import java.io.File;
 import java.io.FilenameFilter;
 import java.io.IOException;
 import java.net.HttpURLConnection;
+import java.net.InetAddress;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.ArrayList;
@ -12,6 +13,7 @@ import java.util.concurrent.Future;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ScheduledFuture;
 import java.util.concurrent.TimeUnit;
+import java.util.stream.Stream;

 import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.io.FileUtils;
@ -24,6 +26,7 @@ import org.apache.http.impl.nio.client.CloseableHttpAsyncClient;
 import org.apache.http.impl.nio.client.HttpAsyncClients;
 import org.apache.http.nio.client.methods.HttpAsyncMethods;
 import org.apache.http.nio.client.methods.ZeroCopyConsumer;
+import org.apache.commons.validator.routines.InetAddressValidator;
 import org.bigbluebutton.api.Util;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@ -215,6 +218,28 @@ public class PresentationUrlDownloadService {
        }
    }

+    private boolean isValidRedirectUrl(String redirectUrl) {
+        String[] validProtocolIdentifiers = { "https" };
+
+        try {
+            URL url = new URL(redirectUrl);
+            String protocolIdentifier = url.getProtocol();
+
+            if(Stream.of(validProtocolIdentifiers).noneMatch(s -> s.equalsIgnoreCase(protocolIdentifier))) return false;
+
+            InetAddress[] addresses = InetAddress.getAllByName(redirectUrl);
+            InetAddressValidator validator = InetAddressValidator.getInstance();
+
+            for(InetAddress address: addresses) {
+                if(!validator.isValid(address.getHostAddress())) return false;
+            }
+        } catch(Exception e) {
+            return false;
+        }
+
+        return true;
+    }
+
    public boolean savePresentation(final String meetingId,
            final String filename, final String urlString) {