Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java

Co-authored-by: Chris Smowton <[email protected]>

Author: haby0

java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java

@@ -30,15 +30,13 @@ public void bad2(HttpServletRequest request) {
     @GetMapping(value = "good1")
     @ResponseBody
     public String good1(HttpServletRequest request) {
-        String remoteAddr = "";
-        if (request != null) {
-            remoteAddr = request.getHeader("X-FORWARDED-FOR");
-            remoteAddr = remoteAddr.split(",")[remoteAddr.split(",").length - 1]; // good
-            if (remoteAddr == null || "".equals(remoteAddr)) {
-                remoteAddr = request.getRemoteAddr();
-            }
+        String ip = request.getHeader("X-FORWARDED-FOR");
+        String[] parts = ip.split(",");
+        // Good: if this application runs behind a reverse proxy it may append the real remote IP to the end of any client-supplied X-Forwarded-For header.
+        ip = parts[parts.length - 1];
+        if (!StringUtils.startsWith(ip, "192.168.")) {
+            new Exception("ip illegal");
         }
-        return remoteAddr;
     }
 
     protected String getClientIP() {
@@ -48,4 +46,4 @@ protected String getClientIP() {
         }
         return xfHeader.split(",")[0];
     }
-}
+}