BigBlueButton/bigbluebutton-Github
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added initial url validation check to presentation upload

Browse Source
This commit is contained in:
Paul Trudel 2023-04-19 21:03:52 +00:00
parent 9b49ab681e
commit 68a0623f6c
2 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bbb-common-web/build.sbt
View File

@ -109,5 +109,6 @@ libraryDependencies ++= Seq(
"org.postgresql" % "postgresql" % "42.4.3", "org.postgresql" % "postgresql" % "42.4.3",
"org.hibernate" % "hibernate-core" % "5.6.1.Final", "org.hibernate" % "hibernate-core" % "5.6.1.Final",
"org.flywaydb" % "flyway-core" % "7.8.2", "org.flywaydb" % "flyway-core" % "7.8.2",
"com.zaxxer" % "HikariCP" % "4.0.3" "com.zaxxer" % "HikariCP" % "4.0.3",
"commons-validator" % "commons-validator" % "1.7"
) )

25
bbb-common-web/src/main/java/org/bigbluebutton/presentation/PresentationUrlDownloadService.java
View File

@ -4,6 +4,7 @@ import java.io.File;
import java.io.FilenameFilter; import java.io.FilenameFilter;
import java.io.IOException; import java.io.IOException;
import java.net.HttpURLConnection; import java.net.HttpURLConnection;
import java.net.InetAddress;
import java.net.MalformedURLException; import java.net.MalformedURLException;
import java.net.URL; import java.net.URL;
import java.util.ArrayList; import java.util.ArrayList;
@ -12,6 +13,7 @@ import java.util.concurrent.Future;
import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture; import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
import java.util.stream.Stream;
import org.apache.commons.codec.digest.DigestUtils; import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.io.FileUtils; import org.apache.commons.io.FileUtils;
@ -24,6 +26,7 @@ import org.apache.http.impl.nio.client.CloseableHttpAsyncClient;
import org.apache.http.impl.nio.client.HttpAsyncClients; import org.apache.http.impl.nio.client.HttpAsyncClients;
import org.apache.http.nio.client.methods.HttpAsyncMethods; import org.apache.http.nio.client.methods.HttpAsyncMethods;
import org.apache.http.nio.client.methods.ZeroCopyConsumer; import org.apache.http.nio.client.methods.ZeroCopyConsumer;
import org.apache.commons.validator.routines.InetAddressValidator;
import org.bigbluebutton.api.Util; import org.bigbluebutton.api.Util;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -215,6 +218,28 @@ public class PresentationUrlDownloadService {
} }
} }
private boolean isValidRedirectUrl(String redirectUrl) {
String[] validProtocolIdentifiers = { "https" };
try {
URL url = new URL(redirectUrl);
String protocolIdentifier = url.getProtocol();
if(Stream.of(validProtocolIdentifiers).noneMatch(s -> s.equalsIgnoreCase(protocolIdentifier))) return false;
InetAddress[] addresses = InetAddress.getAllByName(redirectUrl);
InetAddressValidator validator = InetAddressValidator.getInstance();
for(InetAddress address: addresses) {
if(!validator.isValid(address.getHostAddress())) return false;
}
} catch(Exception e) {
return false;
}
return true;
}
public boolean savePresentation(final String meetingId, public boolean savePresentation(final String meetingId,
final String filename, final String urlString) { final String filename, final String urlString) {