forked from r2c-CSE/bad-python-app
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathLinkLister.java
More file actions
40 lines (36 loc) · 1.09 KB
/
LinkLister.java
File metadata and controls
40 lines (36 loc) · 1.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
package com.ssrf;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.nodes.Element;
import org.jsoup.select.Elements;
import java.util.ArrayList;
import java.util.List;
import java.io.IOException;
import java.net.*;
public class LinkLister {
public static List<String> getLinks(String url) throws IOException {
List<String> result = new ArrayList<String>();
// ssrf
Document doc = Jsoup.connect(url).get(); // sast:vulnerable-line/TP
Elements links = doc.select("a");
for (Element link : links) {
result.add(link.absUrl("href"));
}
return result;
}
public static List<String> getLinksV2(String url) throws BadRequest {
try {
URL aUrl= new URL(url);
String host = aUrl.getHost();
System.out.println(host);
if (host.startsWith("172.") || host.startsWith("192.168") || host.startsWith("10.")){
throw new BadRequest("Use of Private IP");
} else {
// ssrf
return getLinks(url); // sast:vulnerable-line/TP
}
} catch(Exception e) {
throw new BadRequest(e.getMessage());
}
}
}