All Downloads are FREE. Search and download functionalities are using the official Maven repository.

net.sourceforge.plantuml.security.URLCheck Maven / Gradle / Ivy

There is a newer version: 1.2024.8
Show newest version
// THIS FILE HAS BEEN GENERATED BY A PREPROCESSOR.
/* +=======================================================================
 * |
 * |      PlantUML : a free UML diagram generator
 * |
 * +=======================================================================
 *
 * (C) Copyright 2009-2024, Arnaud Roques
 *
 * Project Info:  https://plantuml.com
 *
 * If you like this project or if you find it useful, you can support us at:
 *
 * https://plantuml.com/patreon (only 1$ per month!)
 * https://plantuml.com/liberapay (only 1€ per month!)
 * https://plantuml.com/paypal
 *
 *
 * PlantUML is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License V2.
 *
 * THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE PUBLIC
 * LICENSE ("AGREEMENT"). [GNU General Public License V2]
 *
 * ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES
 * RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
 *
 * You may obtain a copy of the License at
 *
 * https://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * PlantUML can occasionally display sponsored or advertising messages. Those
 * messages are usually generated on welcome or error images and never on
 * functional diagrams.
 * See https://plantuml.com/professional if you want to remove them
 *
 * Images (whatever their format : PNG, SVG, EPS...) generated by running PlantUML
 * are owned by the author of their corresponding sources code (that is, their
 * textual description in PlantUML language). Those images are not covered by
 * this GPL v2 license.
 *
 * The generated images can then be used without any reference to the GPL v2 license.
 * It is not even necessary to stipulate that they have been generated with PlantUML,
 * although this will be appreciated by the PlantUML team.
 *
 * There is an exception : if the textual description in PlantUML language is also covered
 * by any license, then the generated images are logically covered
 * by the very same license.
 *
 * This is the IGY distribution (Install GraphViz by Yourself).
 * You have to install GraphViz and to setup the GRAPHVIZ_DOT environment variable
 * (see https://plantuml.com/graphviz-dot )
 *
 * Icons provided by OpenIconic :  https://useiconic.com/open
 * Archimate sprites provided by Archi :  http://www.archimatetool.com
 * Stdlib AWS provided by https://github.com/milo-minderbinder/AWS-PlantUML
 * Stdlib Icons provided https://github.com/tupadr3/plantuml-icon-font-sprites
 * ASCIIMathML (c) Peter Jipsen http://www.chapman.edu/~jipsen
 * ASCIIMathML (c) David Lippman http://www.pierce.ctc.edu/dlippman
 * CafeUndZopfli ported by Eugene Klyuchnikov https://github.com/eustas/CafeUndZopfli
 * Brotli (c) by the Brotli Authors https://github.com/google/brotli
 * Themes (c) by Brett Schwarz https://github.com/bschwarz/puml-themes
 * Twemoji (c) by Twitter at https://twemoji.twitter.com/
 *
 */
package net.sourceforge.plantuml.security;

import java.io.UnsupportedEncodingException;
import java.net.InetAddress;
import java.net.URL;
import java.net.URLDecoder;
import java.net.UnknownHostException;

public class URLCheck {

	public static boolean isURLforbidden(String full) {
		// Thanks to Agasthya Kasturi
		if (full.contains("@"))
			return true;
		if (full.startsWith("https://") == false && full.startsWith("http://") == false)
			return true;
		if (full.matches("^https?://[-#.0-9:\\[\\]+]+/.*"))
			return true;
		if (full.matches("^https?://[^.]+/.*"))
			return true;
		if (full.matches("^https?://[^.]+$"))
			return true;

		try {
			if (isURLforbidden(new URL(full)))
				return true;
		} catch (Exception e) {
			return true;
		}

		return false;

	}

	public static boolean isURLforbidden(URL url) throws UnsupportedEncodingException, UnknownHostException {

		// Check for '@' in the authority part (user info)
		final String userInfo = url.getUserInfo();
		if (userInfo != null && !userInfo.isEmpty())
			return true;

		// Check protocol
		final String protocol = url.getProtocol();
		if (!protocol.equals("http") && !protocol.equals("https"))
			return true;

		// Check host for invalid patterns
		final String host = url.getHost();
		if (host == null || host.isEmpty() || !host.contains("."))
			return true;

		// When UNSECURE, we allow localhost
		if (SecurityUtils.getSecurityProfile() != SecurityProfile.UNSECURE) {
			// Additional check for IP addresses or invalid host patterns
			if (host.matches("^[-#.0-9:\\[\\]+]+$"))
				return true;

			final InetAddress inetAddress = InetAddress.getByName(host);
			// Check host address
			if (isInnerAddress(inetAddress))
				return true;
		}

		// Additional checks (e.g., encoding)
		final String decodedHost = URLDecoder.decode(host, "UTF-8");
		if (!host.equals(decodedHost))
			return true;

		return false;
	}

	private static boolean isInnerAddress(InetAddress inetAddress) {
		return inetAddress.isAnyLocalAddress() //
				|| inetAddress.isLoopbackAddress() //
				|| inetAddress.isLinkLocalAddress() //
				|| inetAddress.isSiteLocalAddress();
	}

}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy