File tree Expand file tree Collapse file tree 1 file changed +7
-9
lines changed
java/ql/src/experimental/Security/CWE/CWE-348 Expand file tree Collapse file tree 1 file changed +7
-9
lines changed Original file line number Diff line number Diff line change @@ -30,15 +30,13 @@ public void bad2(HttpServletRequest request) {
3030 @ GetMapping (value = "good1" )
3131 @ ResponseBody
3232 public String good1 (HttpServletRequest request ) {
33- String remoteAddr = "" ;
34- if (request != null ) {
35- remoteAddr = request .getHeader ("X-FORWARDED-FOR" );
36- remoteAddr = remoteAddr .split ("," )[remoteAddr .split ("," ).length - 1 ]; // good
37- if (remoteAddr == null || "" .equals (remoteAddr )) {
38- remoteAddr = request .getRemoteAddr ();
39- }
33+ String ip = request .getHeader ("X-FORWARDED-FOR" );
34+ String [] parts = ip .split ("," );
35+ // Good: if this application runs behind a reverse proxy it may append the real remote IP to the end of any client-supplied X-Forwarded-For header.
36+ ip = parts [parts .length - 1 ];
37+ if (!StringUtils .startsWith (ip , "192.168." )) {
38+ new Exception ("ip illegal" );
4039 }
41- return remoteAddr ;
4240 }
4341
4442 protected String getClientIP () {
@@ -48,4 +46,4 @@ protected String getClientIP() {
4846 }
4947 return xfHeader .split ("," )[0 ];
5048 }
51- }
49+ }
You can’t perform that action at this time.
0 commit comments