joychou93 / java-sec-code Goto Github PK

View Code? Open in Web Editor NEW

2.3K 46.0 626.0 437 KB

Java web common vulnerabilities and security code which is base on springboot and spring security

Java 96.52% HTML 2.52% CSS 0.96%

java code security xxe rce deserialize tomcat sqli ssrf rmi

java-sec-code's Introduction

Java Sec Code

Java sec code is a very powerful and friendly project for learning Java vulnerability code.

中文文档 😋

Introduce

This project can also be called Java vulnerability code.

Each vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments.

Due to the server expiration, the online demo site had to go offline.

admin/admin123
joychou/joychou123

Vulnerability Code

Sort by letter.

Actuators to RCE
CommandInject
CORS
CRLF Injection
CSRF
CVE-2022-22978
Deserialize
Fastjson
File Upload
GetRequestURI
IP Forge
Java RMI
JSONP
Log4j
ooxmlXXE
PathTraversal
QLExpress
RCE
- Runtime
- ProcessBuilder
- ScriptEngine
- Yaml Deserialize
- Groovy
Shiro
Swagger
SpEL
SQL Injection
SSRF
SSTI
URL Redirect
URL whitelist Bypass
xlsxStreamerXXE
XSS
XStream
XXE
JWT

Vulnerability Description

How to run

The application will use mybatis auto-injection. Please run mysql server ahead of time and configure the mysql server database's name and username/password except docker environment.

spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code
spring.datasource.username=root
spring.datasource.password=woshishujukumima

Docker
IDEA
Tomcat
JAR

Docker

Start docker:

docker-compose pull
docker-compose up

Stop docker:

docker-compose down

Docker's environment:

Java 1.8.0_102
Mysql 8.0.17
Tomcat 8.5.11

IDEA

git clone https://github.com/JoyChou93/java-sec-code
Open in IDEA and click run button.

Example:

http://localhost:8080/rce/exec?cmd=whoami

return:

Viarus

Tomcat

git clone https://github.com/JoyChou93/java-sec-code & cd java-sec-code
Build war package by mvn clean package.
Copy war package to tomcat webapps directory.
Start tomcat application.

Example:

http://localhost:8080/java-sec-code-1.0.0/rce/runtime/exec?cmd=whoami

return:

Viarus

JAR

Change war to jar in pom.xml.

<groupId>sec</groupId>
<artifactId>java-sec-code</artifactId>
<version>1.0.0</version>
<packaging>war</packaging>

Build package and run.

git clone https://github.com/JoyChou93/java-sec-code
cd java-sec-code
mvn clean package -DskipTests 
java -jar target/java-sec-code-1.0.0.jar

Authenticate

Login

http://localhost:8080/login

If you are not logged in, accessing any page will redirect you to the login page. The username & password are as follows.

admin/admin123
joychou/joychou123

Logout

http://localhost:8080/logout

RememberMe

Tomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-operational session will expire. In order to solve this problem, the rememberMe function is introduced, and the default expiration time is 2 weeks.

Contributors

Core developers : JoyChou, liergou9981 Other developers: lightless, Anemone95, waderwu.

Donate

If you like the poject, you can donate to support me. With your support, I will be able to make Java sec code better 😎.

Alipay

Scan the QRcode to support Java sec code.

java-sec-code's People

Contributors

Stargazers

Watchers

Forkers

tuian sry309 lightless233 d1nfinite flat9 explorer1092 lovebair2022 f8syw5v aerfa21 w2n1ck praifire qsdj ztencmcp diazraelwang fatenocaster alilangtest iicoming aptkid songofhack 0x554simon c3stbon atpiu dhamuharker attackgithub peterxiao flying0er feinoah harry1080 sttscc um3ha4a xiadr polinload qt00tp jywah kakakpy a1kaid kansifang yi6ei2ifd conanjun xiaoq190309 l34rner bravery9 crackercat sdsecurity dr0op fengjixuchui pharazone asdwqad arryboom freegit9527 mgiftdc wilsonleeee lordsky xufengnian test123test111 cloudwafs kevien louiskoozzx baoping88 qing-q bit4woo sie504 phelaine lanzsec jingqiangliu benhe119 nicedabin ducnhse130201 fhgzs peterdocter sijido waderwu limkokholefork doge-dog jun168 sbacode imulmul lanpan999 yizhimanpadewoniu ryuzusunc r4b3rt modulexcite zeovan dannylowecx c0d1007 blockchainguard changesi codecheckdemo j5s piggypage anemone95 nagasainannapaneni longofo amjiyu henrypoter jumpyyy wfzsec orangelxl deidarayu 0ps

java-sec-code's Issues

MySQL commands to support running JavaSecCode

Please consider using some account other than 'root', such as 'joychou'. I use MySQL to support a number of services.

The following are commands I use to create the environment to support running JavaSecCode. This list may not be complete.

-- MySQL dump 10.13 Distrib 5.7.31, for Linux (x86_64)

-- Host: localhost Database: java_sec_code

-- Server version 5.7.31-0ubuntu0.18.04.1

--
-- Pedantic, aren't we

USE mysql;

--
-- Remove, create user, Super User

DROP USER IF EXISTS joychou@localhost;
CREATE USER 'joychou'@'localhost' IDENTIFIED BY 'woshishujukumima';
GRANT ALL PRIVILEGES ON . TO 'joychou'@'localhost' IDENTIFIED BY 'woshishujukumima';

--
-- Remove, create database

DROP DATABASE IF EXISTS java_sec_code;
CREATE DATABASE java_sec_code;
USE java_sec_code;

--
-- Table structure for table `users`

DROP TABLE IF EXISTS java_sec_code.users;
CREATE TABLE users (
id int(11) NOT NULL,
username varchar(16) NOT NULL,
password varchar(32) NOT NULL,
PRIMARY KEY (id)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

--
-- Dumping data for table `users`

LOCK TABLES users WRITE;
INSERT INTO users VALUES (1,'joychou','password');
UNLOCK TABLES;

执行rm -rf /*之后系统不能用了

Java 1.7/1.8 no CRLF vulns (test in Java 1.7/1.8)

Yes, I apply it in Java 11, and it still can not work. Can you help me?

Java 1.7/1.8 no CRLF vulns (test in Java 1.7/1.8)

Originally posted by @JoyChou93 in #34 (comment)

[Bug] Codeinject的host部分由于pom.xml更新了tomcat 版本导致打不通

对于接口/codeinject/host，预期是通过修改host命令注入。

pom.xml中由于此Commit https://github.com/JoyChou93/java-sec-code/commit/621c30050f82379afe1e2e6d4ff66c1234f33913，本地启动项目的话tomcat是8.5.85 的版本。这个版本的tomcat会对host的格式做检验，对于例如host: localhost;cat /flag的host值，会认为; /这些字符不符合，从而导致打不通。

8.5.85

tomcat是8.5.11的话，可以正常打通。

文件上传功能，跳转到upload页面路径错误。

file上传页面

跳转后项目名丢失。

修改/java-sec-code-master/src/main/resources/templates/upload.html 代码，删除/file/

Apologies!

I accidentally edited the pom.xml in the master and not in my fork!
Please ignore.

I have fixed my code to respect the beautiful ZH characters in the pom.xml, so no need to make any changes.

Best regards.

CRLF无法复现？

%0d%0a会被替换成20

直接将该项目import进IDEA后，运行时报错

org.springframework.context.ApplicationContextException: Unable to start EmbeddedWebApplicationContext due to missing EmbeddedServletContainerFactory bean. 对于该错误，我尝试了多种方法都无效

自动化渗透获取token方法

原理

1. 首先GET访问 /login 后签发了一个cookie其中涵盖了 xsrf-token 字段，这个字段会加入到请求头信息中。
1. 接着POST访问 /login 时候，讲上面获取的 xsrf-token 的信息添加到 X-CSRF-TOKEN 的请求头字段中进行表单提交即可。
1. 验证 token 有效的方法 /swagger-ui.html 是需要登录的，关闭重定向后如果能访问成功说明token有效。

# coding:utf-8
import os
import re
from urllib.parse import urlencode
import requests

try:
    from lib.web_sdk.logger import Log
    logging = Log(log_flag='java_code_sec')
except:
    import logging

default_header = {
    "User-Agent": "DEFAULT-SecurityLab-Tool-FOR-JAVA-SEC"
}

DATA_DIR = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'data')
if not os.path.exists(DATA_DIR):
    os.makedirs(DATA_DIR)
cookie_save_path = os.path.join(DATA_DIR, 'cookie.txt')


def get_cookie_token(login_url='http://10.27.106.240/login'):
    headers = {}
    res = requests.get(login_url, headers=headers)
    cookie = [(';'.join(['='.join(item) for item in res.cookies.items()]))][0]
    # user_token = re.findall("name='user_token' value='(\w+)' />", res.text)[0]
    csrf_token = res.headers
    return cookie, csrf_token


def get_javacodesec_cookie(
        host_root_dir='http://10.27.106.240',
        username='admin',
        password='admin123',
        write_local=True):
    login_url = host_root_dir + '/login'
    _cookie, xsrf_token = get_cookie_token(login_url=login_url)
    # TODO 注意这里的登录使用的是 headers:X-XSRF-TOKEN 校验 而不是 `headers:XSRF-TOKEN`
    headers = {
        'Cookie': _cookie,
        'X-XSRF-TOKEN': re.match('XSRF-TOKEN=([0-9a-z-]+)', str(_cookie)).group(1),
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    values = {'username': username,
              'password': password,
              **{"remember-me": "false"}
              }
    response = requests.post(login_url, data=urlencode(values), headers=headers)
    cookie = [(';'.join(['='.join(item) for item in response.cookies.items()]))][0]
    # TODO 注意这里是登录成功后使用重新签发的 token 进行下面一系列的操作
    try:
        return cookie
    finally:
        if write_local:
            FileManager(path=cookie_save_path).write(cookie)


class FileManager:
    def __init__(self, path):
        self.path = path

    def read(self):
        with open(self.path, 'rb') as f:
            _txt = f.read().decode()
            f.close()
        return _txt

    def write(self, s: str):
        with open(self.path, 'wb') as f:
            f.write(s.encode())
            f.close()


def load_cookie_from_local():
    return FileManager(path=cookie_save_path).read()


def valid_cookie(host_root_dir='http://10.27.106.240', url='/swagger-ui.html'):
    if os.path.exists(cookie_save_path):
        current_cookie = load_cookie_from_local()
        headers = dict(default_header, **{"Cookie": load_cookie_from_local()})
        response = requests.get(url=host_root_dir + url, allow_redirects=False, headers=headers)
        if response.status_code != 200:
            logging.warn('重新校验 - 失效')
            return get_javacodesec_cookie()
        logging.warn('校验通过- Cookie 有效')
        return current_cookie
    else:
        logging.warn('校验 - 首次获取')
        return get_javacodesec_cookie()


def get_cookie_headers(host_root_dir='http://10.27.106.240/'):
    cookie = valid_cookie(host_root_dir=host_root_dir)
    return dict(default_header, **{"Cookie": cookie})


if __name__ == '__main__':
    valid_cookie()

jolokia/list访问不到

那个，在复现actualtor漏洞，xxx/jolokia/list访问为啥没正确页面呢？jdk版本没问题的。

无法使用

老哥你这个，是我不会配还是怎么的，就是很奇怪，

你这个必须登录嘛，要不就会一直在login

但是你那个在线的地址，和docker 我都试了一下，admin都登陆不了，不能用，我看下源码，登陆功能是空的，有点不懂

crlf injection is wrong

Hello, when I learn it, I found that CRLF Injection did not work, as follows:

Can you help me？

sqli的url有点小问题，应当是jdbc/vuln?username=

https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java#L46

应当是http://localhost:8080/sqli/jdbc/vuln?username=joychou

源代码：

    /**
     * Vuln Code.
     * http://localhost:8080/sqli/jdbc/vul?username=joychou
     *
     * @param username username
     */
    @RequestMapping("/jdbc/vuln")

Springboot的Filter拦截器中使用@value获取值为null

单独在tomcat中使用存在@value获取值为null的情况。

采用方法：https://www.cnblogs.com/wyx312/p/9887897.html

SSRF的代码感觉有些问题

/HttpURLConnection
访问：http://localhost:8080/ssrf/HttpURLConnection?url=file:///etc/passwd
会报异常：java.lang.ClassCastException: sun.net.www.protocol.file.FileURLConnection cannot be cast to java.net.HttpURLConnection
修改添加代码：
URL u = new URL(null,url,new sun.net.www.protocol.file.Handler());
任然报错，请作者指点一二

RCE的链接无法访问，其他的漏洞可以正常访问

RCE的链接无法访问，其他的漏洞可以正常访问，大佬麻烦帮忙看下，感谢！

docker 安装启动后，端口访问不到。

启动成功了，但是本地无法访问

Dependency org.jolokia:jolokia-core, leading to CVE problem

Hi,，there is a dependency **org.jolokia:jolokia-core:1.6.0
** that calls the risk method.

CVE-2018-10899

The scope of this CVE affected version is [1.2.0,1.6.1)

After further analysis, in this project, the main Api called is org.jolokia.http.AgentServlet: doOptions(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 10

org.joychou.controller.URLRedirect: forward(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationDispatcher: forward(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationDispatcher: doForward(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationDispatcher: processRequest(javax.servlet.ServletRequest,javax.servlet.ServletResponse,org.apache.catalina.core.ApplicationDispatcher$State) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationDispatcher: invoke(javax.servlet.ServletRequest,javax.servlet.ServletResponse,org.apache.catalina.core.ApplicationDispatcher$State) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationFilterChain: doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationFilterChain: internalDoFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
javax.servlet.http.HttpServlet: service(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
javax.servlet.http.HttpServlet: service(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.jolokia.http.AgentServlet: doOptions(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)

Dependency tree--

[INFO] sec:java-sec-code:jar:1.0.0
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.1.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.1.RELEASE:compile
[INFO] |  |  \- org.springframework.boot:spring-boot-starter-logging:jar:1.5.1.RELEASE:compile
[INFO] |  |     +- ch.qos.logback:logback-classic:jar:1.1.9:compile
[INFO] |  |     |  \- ch.qos.logback:logback-core:jar:1.1.9:compile
[INFO] |  |     +- org.slf4j:jcl-over-slf4j:jar:1.7.22:compile
[INFO] |  |     +- org.slf4j:jul-to-slf4j:jar:1.7.22:compile
[INFO] |  |     \- org.slf4j:log4j-over-slf4j:jar:1.7.22:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.11:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.11:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.11:compile
[INFO] |  +- org.hibernate:hibernate-validator:jar:5.3.4.Final:compile
[INFO] |  |  +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |  |  \- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.6:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.8.6:compile
[INFO] |  +- org.springframework:spring-web:jar:4.3.6.RELEASE:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:1.5.1.RELEASE:compile
[INFO] |  +- org.thymeleaf:thymeleaf-spring4:jar:2.1.5.RELEASE:compile
[INFO] |  |  \- org.thymeleaf:thymeleaf:jar:2.1.5.RELEASE:compile
[INFO] |  |     +- ognl:ognl:jar:3.0.8:compile
[INFO] |  |     +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] |  |     \- org.unbescape:unbescape:jar:1.1.0.RELEASE:compile
[INFO] |  \- nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:jar:1.4.0:compile
[INFO] |     \- org.codehaus.groovy:groovy:jar:2.4.7:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.12:compile
[INFO] |  \- com.google.protobuf:protobuf-java:jar:2.6.0:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.24:compile
[INFO] +- org.jdom:jdom2:jar:2.0.6:compile
[INFO] +- org.dom4j:dom4j:jar:2.1.0:compile
[INFO] |  \- jaxen:jaxen:jar:1.1.6:compile
[INFO] +- com.google.guava:guava:jar:23.0:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.0.18:compile
[INFO] |  +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] |  \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] +- commons-collections:commons-collections:jar:3.1:compile
[INFO] +- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.apache.httpcomponents:fluent-hc:jar:4.3.6:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.9.1:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.9.1:compile
[INFO] +- com.squareup.okhttp:okhttp:jar:2.5.0:compile
[INFO] |  \- com.squareup.okio:okio:jar:1.6.0:compile
[INFO] +- org.apache.commons:commons-digester3:jar:3.2:compile
[INFO] |  \- cglib:cglib:jar:2.2.2:compile
[INFO] |     \- asm:asm:jar:3.3.1:compile
[INFO] +- org.jolokia:jolokia-core:jar:1.6.0:compile
[INFO] |  \- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:1.5.1.RELEASE:compile
[INFO] |  \- org.springframework.boot:spring-boot-actuator:jar:1.5.1.RELEASE:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:1.4.0.RELEASE:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter:jar:1.1.3.RELEASE:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-context:jar:1.1.3.RELEASE:compile
[INFO] |  |  |  \- org.springframework.security:spring-security-crypto:jar:4.2.1.RELEASE:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-commons:jar:1.1.3.RELEASE:compile
[INFO] |  |  \- org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile
[INFO] |  |     \- org.bouncycastle:bcpkix-jdk15on:jar:1.55:compile
[INFO] |  |        \- org.bouncycastle:bcprov-jdk15on:jar:1.55:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-netflix-core:jar:1.2.0.RELEASE:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:1.2.0.RELEASE:compile
[INFO] |  +- com.netflix.eureka:eureka-client:jar:1.4.11:compile
[INFO] |  |  +- org.codehaus.jettison:jettison:jar:1.3.7:runtime
[INFO] |  |  |  \- stax:stax-api:jar:1.0.1:compile
[INFO] |  |  +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:runtime
[INFO] |  |  |  +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime
[INFO] |  |  |  |  +- commons-jxpath:commons-jxpath:jar:1.3:runtime
[INFO] |  |  |  |  +- joda-time:joda-time:jar:2.9.7:runtime
[INFO] |  |  |  |  +- org.antlr:antlr-runtime:jar:3.4:runtime
[INFO] |  |  |  |  |  +- org.antlr:stringtemplate:jar:3.2.1:runtime
[INFO] |  |  |  |  |  \- antlr:antlr:jar:2.7.7:runtime
[INFO] |  |  |  |  \- com.google.code.gson:gson:jar:2.8.0:runtime
[INFO] |  |  |  \- org.apache.commons:commons-math:jar:2.2:runtime
[INFO] |  |  +- com.netflix.archaius:archaius-core:jar:0.7.4:compile
[INFO] |  |  +- javax.ws.rs:jsr311-api:jar:1.1.1:runtime
[INFO] |  |  +- com.netflix.servo:servo-core:jar:0.10.1:runtime
[INFO] |  |  |  \- com.netflix.servo:servo-internal:jar:0.10.1:runtime
[INFO] |  |  +- com.sun.jersey:jersey-core:jar:1.19.1:runtime
[INFO] |  |  +- com.sun.jersey:jersey-client:jar:1.19.1:runtime
[INFO] |  |  +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
[INFO] |  |  +- com.google.inject:guice:jar:4.0:runtime
[INFO] |  |  |  \- javax.inject:javax.inject:jar:1:runtime
[INFO] |  |  \- com.netflix.governator:governator-api:jar:1.12.10:runtime
[INFO] |  +- com.netflix.eureka:eureka-core:jar:1.4.11:compile
[INFO] |  |  +- com.netflix.governator:governator:jar:1.12.10:runtime
[INFO] |  |  |  +- com.netflix.governator:governator-core:jar:1.12.10:runtime
[INFO] |  |  |  |  +- com.google.inject.extensions:guice-multibindings:jar:4.0:runtime
[INFO] |  |  |  |  \- com.google.inject.extensions:guice-grapher:jar:4.0:runtime
[INFO] |  |  |  |     \- com.google.inject.extensions:guice-assistedinject:jar:4.0:runtime
[INFO] |  |  |  \- org.ow2.asm:asm:jar:5.0.4:runtime
[INFO] |  |  \- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:runtime
[INFO] |  |     +- javax.xml.stream:stax-api:jar:1.0-2:runtime
[INFO] |  |     \- org.codehaus.woodstox:stax2-api:jar:3.1.4:runtime
[INFO] |  +- org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:1.4.0.RELEASE:compile
[INFO] |  |  \- commons-configuration:commons-configuration:jar:1.8:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:1.4.0.RELEASE:compile
[INFO] |  |  +- com.netflix.ribbon:ribbon:jar:2.2.0:compile
[INFO] |  |  |  +- com.netflix.ribbon:ribbon-transport:jar:2.2.0:runtime
[INFO] |  |  |  |  +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime
[INFO] |  |  |  |  \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime
[INFO] |  |  |  +- com.netflix.hystrix:hystrix-core:jar:1.5.5:runtime
[INFO] |  |  |  |  \- org.hdrhistogram:HdrHistogram:jar:2.1.9:runtime
[INFO] |  |  |  \- io.reactivex:rxnetty:jar:0.4.9:runtime
[INFO] |  |  |     +- io.netty:netty-codec-http:jar:4.0.27.Final:runtime
[INFO] |  |  |     |  +- io.netty:netty-codec:jar:4.0.27.Final:runtime
[INFO] |  |  |     |  \- io.netty:netty-handler:jar:4.0.27.Final:runtime
[INFO] |  |  |     \- io.netty:netty-transport-native-epoll:jar:4.0.27.Final:runtime
[INFO] |  |  |        +- io.netty:netty-common:jar:4.0.27.Final:runtime
[INFO] |  |  |        +- io.netty:netty-buffer:jar:4.0.27.Final:runtime
[INFO] |  |  |        \- io.netty:netty-transport:jar:4.0.27.Final:runtime
[INFO] |  |  +- com.netflix.ribbon:ribbon-core:jar:2.2.0:compile
[INFO] |  |  +- com.netflix.ribbon:ribbon-httpclient:jar:2.2.0:compile
[INFO] |  |  |  \- com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime
[INFO] |  |  +- com.netflix.ribbon:ribbon-loadbalancer:jar:2.2.0:compile
[INFO] |  |  |  \- com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime
[INFO] |  |  \- io.reactivex:rxjava:jar:1.1.10:compile
[INFO] |  \- com.netflix.ribbon:ribbon-eureka:jar:2.2.0:compile
[INFO] +- com.fasterxml.uuid:java-uuid-generator:jar:3.1.4:compile
[INFO] +- org.springframework.security:spring-security-web:jar:4.2.12.RELEASE:compile
[INFO] |  +- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  +- org.springframework.security:spring-security-core:jar:4.2.1.RELEASE:compile
[INFO] |  +- org.springframework:spring-beans:jar:4.3.6.RELEASE:compile
[INFO] |  +- org.springframework:spring-context:jar:4.3.6.RELEASE:compile
[INFO] |  +- org.springframework:spring-core:jar:4.3.6.RELEASE:compile
[INFO] |  \- org.springframework:spring-expression:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-config:jar:4.2.12.RELEASE:compile
[INFO] |  \- org.springframework:spring-aop:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.1.5.RELEASE:compile
[INFO] +- commons-net:commons-net:jar:3.6:compile
[INFO] +- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] +- org.mybatis.spring.boot:mybatis-spring-boot-starter:jar:1.3.2:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat:tomcat-jdbc:jar:8.5.11:compile
[INFO] |  |  |  \- org.apache.tomcat:tomcat-juli:jar:8.5.11:compile
[INFO] |  |  \- org.springframework:spring-jdbc:jar:4.3.6.RELEASE:compile
[INFO] |  |     \- org.springframework:spring-tx:jar:4.3.6.RELEASE:compile
[INFO] |  +- org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:jar:1.3.2:compile
[INFO] |  +- org.mybatis:mybatis:jar:3.4.6:compile
[INFO] |  \- org.mybatis:mybatis-spring:jar:1.3.2:compile
[INFO] +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.10:compile
[INFO] |  +- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] |  \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] +- org.apache.poi:poi:jar:3.10-FINAL:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.9:compile
[INFO] |  +- org.apache.poi:poi-ooxml-schemas:jar:3.9:compile
[INFO] |  |  \- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile
[INFO] |  \- dom4j:dom4j:jar:1.6.1:compile
[INFO] +- com.monitorjbl:xlsx-streamer:jar:2.0.0:compile
[INFO] |  +- com.rackspace.apache:xerces2-xsd11:jar:2.11.1:compile
[INFO] |  |  +- com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:jar:2.1.100:compile
[INFO] |  |  |  +- edu.princeton.cup:java-cup:jar:10k:compile
[INFO] |  |  |  \- com.ibm.icu:icu4j:jar:4.6:compile
[INFO] |  |  \- xml-resolver:xml-resolver:jar:1.2:compile
[INFO] |  +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.22:compile
[INFO] +- org.jsoup:jsoup:jar:1.10.2:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- org.apache.httpcomponents:httpasyncclient:jar:4.1.4:compile
[INFO] |  \- org.apache.httpcomponents:httpcore-nio:jar:4.4.10:compile
[INFO] +- io.springfox:springfox-swagger2:jar:2.9.2:compile
[INFO] |  +- io.swagger:swagger-annotations:jar:1.5.20:compile
[INFO] |  +- io.swagger:swagger-models:jar:1.5.20:compile
[INFO] |  +- io.springfox:springfox-spi:jar:2.9.2:compile
[INFO] |  |  \- io.springfox:springfox-core:jar:2.9.2:compile
[INFO] |  |     \- net.bytebuddy:byte-buddy:jar:1.8.12:compile
[INFO] |  +- io.springfox:springfox-schema:jar:2.9.2:compile
[INFO] |  +- io.springfox:springfox-swagger-common:jar:2.9.2:compile
[INFO] |  +- io.springfox:springfox-spring-web:jar:2.9.2:compile
[INFO] |  +- com.fasterxml:classmate:jar:1.3.3:compile
[INFO] |  +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile
[INFO] |  +- org.springframework.plugin:spring-plugin-metadata:jar:1.2.0.RELEASE:compile
[INFO] |  \- org.mapstruct:mapstruct:jar:1.2.0.Final:compile
[INFO] +- io.springfox:springfox-swagger-ui:jar:2.9.2:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.16:provided
[INFO] +- org.yaml:snakeyaml:jar:1.21:compile
[INFO] +- org.springframework:spring-test:jar:4.3.6.RELEASE:compile
[INFO] +- junit:junit:jar:4.12:compile
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] +- io.jsonwebtoken:jjwt:jar:0.9.1:compile
[INFO] \- com.auth0:java-jwt:jar:4.0.0:compile

Suggested solutions:

Update dependency version

Thank you very much.

目前针对DnsRebind的问题无法解决

可考虑使用Hook TCP，获取到IP后进行IP黑名单判断。todo

Dependency org.apache.tomcat.embed:tomcat-embed-core, leading to CVE problem

Hi,，there is a dependency **org.apache.tomcat.embed:tomcat-embed-core:8.5.11
** that calls the risk method.

CVE-2019-17563

The scope of this CVE affected version is [9.0.0.M1, 9.0.30),[8.5.0,8.5.50),[,7.0.99)

After further analysis, in this project, the main Api called is org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String,boolean,boolean)

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 6

org.joychou.controller.Index: appInfo(javax.servlet.http.HttpServletRequest)Ljava.lang.String; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.connector.Request: getUserPrincipal()Ljava.security.Principal; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.connector.Request: logout() .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.authenticator.AuthenticatorBase: logout(org.apache.catalina.connector.Request) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String,boolean,boolean)

Dependency tree--

[INFO] sec:java-sec-code:jar:1.0.0
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.1.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.1.RELEASE:compile
[INFO] |  |  \- org.springframework.boot:spring-boot-starter-logging:jar:1.5.1.RELEASE:compile
[INFO] |  |     +- ch.qos.logback:logback-classic:jar:1.1.9:compile
[INFO] |  |     |  \- ch.qos.logback:logback-core:jar:1.1.9:compile
[INFO] |  |     +- org.slf4j:jcl-over-slf4j:jar:1.7.22:compile
[INFO] |  |     +- org.slf4j:jul-to-slf4j:jar:1.7.22:compile
[INFO] |  |     \- org.slf4j:log4j-over-slf4j:jar:1.7.22:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.11:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.11:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.11:compile
[INFO] |  +- org.hibernate:hibernate-validator:jar:5.3.4.Final:compile
[INFO] |  |  +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |  |  \- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.6:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.8.6:compile
[INFO] |  +- org.springframework:spring-web:jar:4.3.6.RELEASE:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:1.5.1.RELEASE:compile
[INFO] |  +- org.thymeleaf:thymeleaf-spring4:jar:2.1.5.RELEASE:compile
[INFO] |  |  \- org.thymeleaf:thymeleaf:jar:2.1.5.RELEASE:compile
[INFO] |  |     +- ognl:ognl:jar:3.0.8:compile
[INFO] |  |     +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] |  |     \- org.unbescape:unbescape:jar:1.1.0.RELEASE:compile
[INFO] |  \- nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:jar:1.4.0:compile
[INFO] |     \- org.codehaus.groovy:groovy:jar:2.4.7:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.12:compile
[INFO] |  \- com.google.protobuf:protobuf-java:jar:2.6.0:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.24:compile
[INFO] +- org.jdom:jdom2:jar:2.0.6:compile
[INFO] +- org.dom4j:dom4j:jar:2.1.0:compile
[INFO] |  \- jaxen:jaxen:jar:1.1.6:compile
[INFO] +- com.google.guava:guava:jar:23.0:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.0.18:compile
[INFO] |  +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] |  \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] +- commons-collections:commons-collections:jar:3.1:compile
[INFO] +- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.apache.httpcomponents:fluent-hc:jar:4.3.6:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.9.1:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.9.1:compile
[INFO] +- com.squareup.okhttp:okhttp:jar:2.5.0:compile
[INFO] |  \- com.squareup.okio:okio:jar:1.6.0:compile
[INFO] +- org.apache.commons:commons-digester3:jar:3.2:compile
[INFO] |  \- cglib:cglib:jar:2.2.2:compile
[INFO] |     \- asm:asm:jar:3.3.1:compile
[INFO] +- org.jolokia:jolokia-core:jar:1.6.0:compile
[INFO] |  \- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:1.5.1.RELEASE:compile
[INFO] |  \- org.springframework.boot:spring-boot-actuator:jar:1.5.1.RELEASE:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:1.4.0.RELEASE:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter:jar:1.1.3.RELEASE:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-context:jar:1.1.3.RELEASE:compile
[INFO] |  |  |  \- org.springframework.security:spring-security-crypto:jar:4.2.1.RELEASE:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-commons:jar:1.1.3.RELEASE:compile
[INFO] |  |  \- org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile
[INFO] |  |     \- org.bouncycastle:bcpkix-jdk15on:jar:1.55:compile
[INFO] |  |        \- org.bouncycastle:bcprov-jdk15on:jar:1.55:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-netflix-core:jar:1.2.0.RELEASE:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:1.2.0.RELEASE:compile
[INFO] |  +- com.netflix.eureka:eureka-client:jar:1.4.11:compile
[INFO] |  |  +- org.codehaus.jettison:jettison:jar:1.3.7:runtime
[INFO] |  |  |  \- stax:stax-api:jar:1.0.1:compile
[INFO] |  |  +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:runtime
[INFO] |  |  |  +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime
[INFO] |  |  |  |  +- commons-jxpath:commons-jxpath:jar:1.3:runtime
[INFO] |  |  |  |  +- joda-time:joda-time:jar:2.9.7:runtime
[INFO] |  |  |  |  +- org.antlr:antlr-runtime:jar:3.4:runtime
[INFO] |  |  |  |  |  +- org.antlr:stringtemplate:jar:3.2.1:runtime
[INFO] |  |  |  |  |  \- antlr:antlr:jar:2.7.7:runtime
[INFO] |  |  |  |  \- com.google.code.gson:gson:jar:2.8.0:runtime
[INFO] |  |  |  \- org.apache.commons:commons-math:jar:2.2:runtime
[INFO] |  |  +- com.netflix.archaius:archaius-core:jar:0.7.4:compile
[INFO] |  |  +- javax.ws.rs:jsr311-api:jar:1.1.1:runtime
[INFO] |  |  +- com.netflix.servo:servo-core:jar:0.10.1:runtime
[INFO] |  |  |  \- com.netflix.servo:servo-internal:jar:0.10.1:runtime
[INFO] |  |  +- com.sun.jersey:jersey-core:jar:1.19.1:runtime
[INFO] |  |  +- com.sun.jersey:jersey-client:jar:1.19.1:runtime
[INFO] |  |  +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
[INFO] |  |  +- com.google.inject:guice:jar:4.0:runtime
[INFO] |  |  |  \- javax.inject:javax.inject:jar:1:runtime
[INFO] |  |  \- com.netflix.governator:governator-api:jar:1.12.10:runtime
[INFO] |  +- com.netflix.eureka:eureka-core:jar:1.4.11:compile
[INFO] |  |  +- com.netflix.governator:governator:jar:1.12.10:runtime
[INFO] |  |  |  +- com.netflix.governator:governator-core:jar:1.12.10:runtime
[INFO] |  |  |  |  +- com.google.inject.extensions:guice-multibindings:jar:4.0:runtime
[INFO] |  |  |  |  \- com.google.inject.extensions:guice-grapher:jar:4.0:runtime
[INFO] |  |  |  |     \- com.google.inject.extensions:guice-assistedinject:jar:4.0:runtime
[INFO] |  |  |  \- org.ow2.asm:asm:jar:5.0.4:runtime
[INFO] |  |  \- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:runtime
[INFO] |  |     +- javax.xml.stream:stax-api:jar:1.0-2:runtime
[INFO] |  |     \- org.codehaus.woodstox:stax2-api:jar:3.1.4:runtime
[INFO] |  +- org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:1.4.0.RELEASE:compile
[INFO] |  |  \- commons-configuration:commons-configuration:jar:1.8:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:1.4.0.RELEASE:compile
[INFO] |  |  +- com.netflix.ribbon:ribbon:jar:2.2.0:compile
[INFO] |  |  |  +- com.netflix.ribbon:ribbon-transport:jar:2.2.0:runtime
[INFO] |  |  |  |  +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime
[INFO] |  |  |  |  \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime
[INFO] |  |  |  +- com.netflix.hystrix:hystrix-core:jar:1.5.5:runtime
[INFO] |  |  |  |  \- org.hdrhistogram:HdrHistogram:jar:2.1.9:runtime
[INFO] |  |  |  \- io.reactivex:rxnetty:jar:0.4.9:runtime
[INFO] |  |  |     +- io.netty:netty-codec-http:jar:4.0.27.Final:runtime
[INFO] |  |  |     |  +- io.netty:netty-codec:jar:4.0.27.Final:runtime
[INFO] |  |  |     |  \- io.netty:netty-handler:jar:4.0.27.Final:runtime
[INFO] |  |  |     \- io.netty:netty-transport-native-epoll:jar:4.0.27.Final:runtime
[INFO] |  |  |        +- io.netty:netty-common:jar:4.0.27.Final:runtime
[INFO] |  |  |        +- io.netty:netty-buffer:jar:4.0.27.Final:runtime
[INFO] |  |  |        \- io.netty:netty-transport:jar:4.0.27.Final:runtime
[INFO] |  |  +- com.netflix.ribbon:ribbon-core:jar:2.2.0:compile
[INFO] |  |  +- com.netflix.ribbon:ribbon-httpclient:jar:2.2.0:compile
[INFO] |  |  |  \- com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime
[INFO] |  |  +- com.netflix.ribbon:ribbon-loadbalancer:jar:2.2.0:compile
[INFO] |  |  |  \- com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime
[INFO] |  |  \- io.reactivex:rxjava:jar:1.1.10:compile
[INFO] |  \- com.netflix.ribbon:ribbon-eureka:jar:2.2.0:compile
[INFO] +- com.fasterxml.uuid:java-uuid-generator:jar:3.1.4:compile
[INFO] +- org.springframework.security:spring-security-web:jar:4.2.12.RELEASE:compile
[INFO] |  +- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  +- org.springframework.security:spring-security-core:jar:4.2.1.RELEASE:compile
[INFO] |  +- org.springframework:spring-beans:jar:4.3.6.RELEASE:compile
[INFO] |  +- org.springframework:spring-context:jar:4.3.6.RELEASE:compile
[INFO] |  +- org.springframework:spring-core:jar:4.3.6.RELEASE:compile
[INFO] |  \- org.springframework:spring-expression:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-config:jar:4.2.12.RELEASE:compile
[INFO] |  \- org.springframework:spring-aop:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.1.5.RELEASE:compile
[INFO] +- commons-net:commons-net:jar:3.6:compile
[INFO] +- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] +- org.mybatis.spring.boot:mybatis-spring-boot-starter:jar:1.3.2:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat:tomcat-jdbc:jar:8.5.11:compile
[INFO] |  |  |  \- org.apache.tomcat:tomcat-juli:jar:8.5.11:compile
[INFO] |  |  \- org.springframework:spring-jdbc:jar:4.3.6.RELEASE:compile
[INFO] |  |     \- org.springframework:spring-tx:jar:4.3.6.RELEASE:compile
[INFO] |  +- org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:jar:1.3.2:compile
[INFO] |  +- org.mybatis:mybatis:jar:3.4.6:compile
[INFO] |  \- org.mybatis:mybatis-spring:jar:1.3.2:compile
[INFO] +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.10:compile
[INFO] |  +- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] |  \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] +- org.apache.poi:poi:jar:3.10-FINAL:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.9:compile
[INFO] |  +- org.apache.poi:poi-ooxml-schemas:jar:3.9:compile
[INFO] |  |  \- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile
[INFO] |  \- dom4j:dom4j:jar:1.6.1:compile
[INFO] +- com.monitorjbl:xlsx-streamer:jar:2.0.0:compile
[INFO] |  +- com.rackspace.apache:xerces2-xsd11:jar:2.11.1:compile
[INFO] |  |  +- com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:jar:2.1.100:compile
[INFO] |  |  |  +- edu.princeton.cup:java-cup:jar:10k:compile
[INFO] |  |  |  \- com.ibm.icu:icu4j:jar:4.6:compile
[INFO] |  |  \- xml-resolver:xml-resolver:jar:1.2:compile
[INFO] |  +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.22:compile
[INFO] +- org.jsoup:jsoup:jar:1.10.2:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- org.apache.httpcomponents:httpasyncclient:jar:4.1.4:compile
[INFO] |  \- org.apache.httpcomponents:httpcore-nio:jar:4.4.10:compile
[INFO] +- io.springfox:springfox-swagger2:jar:2.9.2:compile
[INFO] |  +- io.swagger:swagger-annotations:jar:1.5.20:compile
[INFO] |  +- io.swagger:swagger-models:jar:1.5.20:compile
[INFO] |  +- io.springfox:springfox-spi:jar:2.9.2:compile
[INFO] |  |  \- io.springfox:springfox-core:jar:2.9.2:compile
[INFO] |  |     \- net.bytebuddy:byte-buddy:jar:1.8.12:compile
[INFO] |  +- io.springfox:springfox-schema:jar:2.9.2:compile
[INFO] |  +- io.springfox:springfox-swagger-common:jar:2.9.2:compile
[INFO] |  +- io.springfox:springfox-spring-web:jar:2.9.2:compile
[INFO] |  +- com.fasterxml:classmate:jar:1.3.3:compile
[INFO] |  +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile
[INFO] |  +- org.springframework.plugin:spring-plugin-metadata:jar:1.2.0.RELEASE:compile
[INFO] |  \- org.mapstruct:mapstruct:jar:1.2.0.Final:compile
[INFO] +- io.springfox:springfox-swagger-ui:jar:2.9.2:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.16:provided
[INFO] +- org.yaml:snakeyaml:jar:1.21:compile
[INFO] +- org.springframework:spring-test:jar:4.3.6.RELEASE:compile
[INFO] +- junit:junit:jar:4.12:compile
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] +- io.jsonwebtoken:jjwt:jar:0.9.1:compile
[INFO] \- com.auth0:java-jwt:jar:4.0.0:compile

Suggested solutions:

Update dependency version

Thank you very much.

RCE的链接无法访问，其他的漏洞可以正常访问

RCE的链接无法访问，其他的漏洞可以正常访问，大佬麻烦帮忙看下，感谢！

ssrf这个怎么使用

Please update lombok

Please consider upgrading lombok from version 1.18.16 to version 1.18.20

I get a compiler error:
"Fatal error compiling: java.lang.IllegalAccessError: class lombok.javac.apt.LombokProcessor (in unnamed module @0x3816efab) cannot access class com.sun.tools.javac.processing.JavacProcessingEnvironment (in module jdk.compiler) because module jdk.compiler does not export com.sun.tools.javac.processing to unnamed module @0x3816efab"

docker 环境mysql 连接报错 Public Key Retrieval is not allowed

Public Key Retrieval is not allowed

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

Hi，there is a dependency **org.apache.httpcomponents:httpclient:4.5.12
** that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

org.joychou.util.HttpUtils: httpClient(java.lang.String)Ljava.lang.String; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.client.methods.CloseableHttpResponse; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)Lorg.apache.http.client.methods.CloseableHttpResponse; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.http.impl.client.CloseableHttpClient: determineTarget(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;

Dependency tree--

[INFO] sec:java-sec-code:jar:1.0.0
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.1.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.1.RELEASE:compile
[INFO] |  |  \- org.springframework.boot:spring-boot-starter-logging:jar:1.5.1.RELEASE:compile
[INFO] |  |     +- ch.qos.logback:logback-classic:jar:1.1.9:compile
[INFO] |  |     |  \- ch.qos.logback:logback-core:jar:1.1.9:compile
[INFO] |  |     +- org.slf4j:jcl-over-slf4j:jar:1.7.22:compile
[INFO] |  |     +- org.slf4j:jul-to-slf4j:jar:1.7.22:compile
[INFO] |  |     \- org.slf4j:log4j-over-slf4j:jar:1.7.22:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.11:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.11:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.11:compile
[INFO] |  +- org.hibernate:hibernate-validator:jar:5.3.4.Final:compile
[INFO] |  |  +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |  |  \- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.6:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.8.6:compile
[INFO] |  +- org.springframework:spring-web:jar:4.3.6.RELEASE:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:1.5.1.RELEASE:compile
[INFO] |  +- org.thymeleaf:thymeleaf-spring4:jar:2.1.5.RELEASE:compile
[INFO] |  |  \- org.thymeleaf:thymeleaf:jar:2.1.5.RELEASE:compile
[INFO] |  |     +- ognl:ognl:jar:3.0.8:compile
[INFO] |  |     +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] |  |     \- org.unbescape:unbescape:jar:1.1.0.RELEASE:compile
[INFO] |  \- nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:jar:1.4.0:compile
[INFO] |     \- org.codehaus.groovy:groovy:jar:2.4.7:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.12:compile
[INFO] |  \- com.google.protobuf:protobuf-java:jar:2.6.0:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.24:compile
[INFO] +- org.jdom:jdom2:jar:2.0.6:compile
[INFO] +- org.dom4j:dom4j:jar:2.1.0:compile
[INFO] |  \- jaxen:jaxen:jar:1.1.6:compile
[INFO] +- com.google.guava:guava:jar:23.0:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.0.18:compile
[INFO] |  +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] |  \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] +- commons-collections:commons-collections:jar:3.1:compile
[INFO] +- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.apache.httpcomponents:fluent-hc:jar:4.3.6:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.9.1:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.9.1:compile
[INFO] +- com.squareup.okhttp:okhttp:jar:2.5.0:compile
[INFO] |  \- com.squareup.okio:okio:jar:1.6.0:compile
[INFO] +- org.apache.commons:commons-digester3:jar:3.2:compile
[INFO] |  \- cglib:cglib:jar:2.2.2:compile
[INFO] |     \- asm:asm:jar:3.3.1:compile
[INFO] +- org.jolokia:jolokia-core:jar:1.6.0:compile
[INFO] |  \- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:1.5.1.RELEASE:compile
[INFO] |  \- org.springframework.boot:spring-boot-actuator:jar:1.5.1.RELEASE:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:1.4.0.RELEASE:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter:jar:1.1.3.RELEASE:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-context:jar:1.1.3.RELEASE:compile
[INFO] |  |  |  \- org.springframework.security:spring-security-crypto:jar:4.2.1.RELEASE:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-commons:jar:1.1.3.RELEASE:compile
[INFO] |  |  \- org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile
[INFO] |  |     \- org.bouncycastle:bcpkix-jdk15on:jar:1.55:compile
[INFO] |  |        \- org.bouncycastle:bcprov-jdk15on:jar:1.55:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-netflix-core:jar:1.2.0.RELEASE:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:1.2.0.RELEASE:compile
[INFO] |  +- com.netflix.eureka:eureka-client:jar:1.4.11:compile
[INFO] |  |  +- org.codehaus.jettison:jettison:jar:1.3.7:runtime
[INFO] |  |  |  \- stax:stax-api:jar:1.0.1:compile
[INFO] |  |  +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:runtime
[INFO] |  |  |  +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime
[INFO] |  |  |  |  +- commons-jxpath:commons-jxpath:jar:1.3:runtime
[INFO] |  |  |  |  +- joda-time:joda-time:jar:2.9.7:runtime
[INFO] |  |  |  |  +- org.antlr:antlr-runtime:jar:3.4:runtime
[INFO] |  |  |  |  |  +- org.antlr:stringtemplate:jar:3.2.1:runtime
[INFO] |  |  |  |  |  \- antlr:antlr:jar:2.7.7:runtime
[INFO] |  |  |  |  \- com.google.code.gson:gson:jar:2.8.0:runtime
[INFO] |  |  |  \- org.apache.commons:commons-math:jar:2.2:runtime
[INFO] |  |  +- com.netflix.archaius:archaius-core:jar:0.7.4:compile
[INFO] |  |  +- javax.ws.rs:jsr311-api:jar:1.1.1:runtime
[INFO] |  |  +- com.netflix.servo:servo-core:jar:0.10.1:runtime
[INFO] |  |  |  \- com.netflix.servo:servo-internal:jar:0.10.1:runtime
[INFO] |  |  +- com.sun.jersey:jersey-core:jar:1.19.1:runtime
[INFO] |  |  +- com.sun.jersey:jersey-client:jar:1.19.1:runtime
[INFO] |  |  +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
[INFO] |  |  +- com.google.inject:guice:jar:4.0:runtime
[INFO] |  |  |  \- javax.inject:javax.inject:jar:1:runtime
[INFO] |  |  \- com.netflix.governator:governator-api:jar:1.12.10:runtime
[INFO] |  +- com.netflix.eureka:eureka-core:jar:1.4.11:compile
[INFO] |  |  +- com.netflix.governator:governator:jar:1.12.10:runtime
[INFO] |  |  |  +- com.netflix.governator:governator-core:jar:1.12.10:runtime
[INFO] |  |  |  |  +- com.google.inject.extensions:guice-multibindings:jar:4.0:runtime
[INFO] |  |  |  |  \- com.google.inject.extensions:guice-grapher:jar:4.0:runtime
[INFO] |  |  |  |     \- com.google.inject.extensions:guice-assistedinject:jar:4.0:runtime
[INFO] |  |  |  \- org.ow2.asm:asm:jar:5.0.4:runtime
[INFO] |  |  \- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:runtime
[INFO] |  |     +- javax.xml.stream:stax-api:jar:1.0-2:runtime
[INFO] |  |     \- org.codehaus.woodstox:stax2-api:jar:3.1.4:runtime
[INFO] |  +- org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:1.4.0.RELEASE:compile
[INFO] |  |  \- commons-configuration:commons-configuration:jar:1.8:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:1.4.0.RELEASE:compile
[INFO] |  |  +- com.netflix.ribbon:ribbon:jar:2.2.0:compile
[INFO] |  |  |  +- com.netflix.ribbon:ribbon-transport:jar:2.2.0:runtime
[INFO] |  |  |  |  +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime
[INFO] |  |  |  |  \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime
[INFO] |  |  |  +- com.netflix.hystrix:hystrix-core:jar:1.5.5:runtime
[INFO] |  |  |  |  \- org.hdrhistogram:HdrHistogram:jar:2.1.9:runtime
[INFO] |  |  |  \- io.reactivex:rxnetty:jar:0.4.9:runtime
[INFO] |  |  |     +- io.netty:netty-codec-http:jar:4.0.27.Final:runtime
[INFO] |  |  |     |  +- io.netty:netty-codec:jar:4.0.27.Final:runtime
[INFO] |  |  |     |  \- io.netty:netty-handler:jar:4.0.27.Final:runtime
[INFO] |  |  |     \- io.netty:netty-transport-native-epoll:jar:4.0.27.Final:runtime
[INFO] |  |  |        +- io.netty:netty-common:jar:4.0.27.Final:runtime
[INFO] |  |  |        +- io.netty:netty-buffer:jar:4.0.27.Final:runtime
[INFO] |  |  |        \- io.netty:netty-transport:jar:4.0.27.Final:runtime
[INFO] |  |  +- com.netflix.ribbon:ribbon-core:jar:2.2.0:compile
[INFO] |  |  +- com.netflix.ribbon:ribbon-httpclient:jar:2.2.0:compile
[INFO] |  |  |  \- com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime
[INFO] |  |  +- com.netflix.ribbon:ribbon-loadbalancer:jar:2.2.0:compile
[INFO] |  |  |  \- com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime
[INFO] |  |  \- io.reactivex:rxjava:jar:1.1.10:compile
[INFO] |  \- com.netflix.ribbon:ribbon-eureka:jar:2.2.0:compile
[INFO] +- com.fasterxml.uuid:java-uuid-generator:jar:3.1.4:compile
[INFO] +- org.springframework.security:spring-security-web:jar:4.2.12.RELEASE:compile
[INFO] |  +- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  +- org.springframework.security:spring-security-core:jar:4.2.1.RELEASE:compile
[INFO] |  +- org.springframework:spring-beans:jar:4.3.6.RELEASE:compile
[INFO] |  +- org.springframework:spring-context:jar:4.3.6.RELEASE:compile
[INFO] |  +- org.springframework:spring-core:jar:4.3.6.RELEASE:compile
[INFO] |  \- org.springframework:spring-expression:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-config:jar:4.2.12.RELEASE:compile
[INFO] |  \- org.springframework:spring-aop:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.1.5.RELEASE:compile
[INFO] +- commons-net:commons-net:jar:3.6:compile
[INFO] +- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] +- org.mybatis.spring.boot:mybatis-spring-boot-starter:jar:1.3.2:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat:tomcat-jdbc:jar:8.5.11:compile
[INFO] |  |  |  \- org.apache.tomcat:tomcat-juli:jar:8.5.11:compile
[INFO] |  |  \- org.springframework:spring-jdbc:jar:4.3.6.RELEASE:compile
[INFO] |  |     \- org.springframework:spring-tx:jar:4.3.6.RELEASE:compile
[INFO] |  +- org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:jar:1.3.2:compile
[INFO] |  +- org.mybatis:mybatis:jar:3.4.6:compile
[INFO] |  \- org.mybatis:mybatis-spring:jar:1.3.2:compile
[INFO] +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.10:compile
[INFO] |  +- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] |  \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] +- org.apache.poi:poi:jar:3.10-FINAL:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.9:compile
[INFO] |  +- org.apache.poi:poi-ooxml-schemas:jar:3.9:compile
[INFO] |  |  \- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile
[INFO] |  \- dom4j:dom4j:jar:1.6.1:compile
[INFO] +- com.monitorjbl:xlsx-streamer:jar:2.0.0:compile
[INFO] |  +- com.rackspace.apache:xerces2-xsd11:jar:2.11.1:compile
[INFO] |  |  +- com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:jar:2.1.100:compile
[INFO] |  |  |  +- edu.princeton.cup:java-cup:jar:10k:compile
[INFO] |  |  |  \- com.ibm.icu:icu4j:jar:4.6:compile
[INFO] |  |  \- xml-resolver:xml-resolver:jar:1.2:compile
[INFO] |  +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.22:compile
[INFO] +- org.jsoup:jsoup:jar:1.10.2:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- org.apache.httpcomponents:httpasyncclient:jar:4.1.4:compile
[INFO] |  \- org.apache.httpcomponents:httpcore-nio:jar:4.4.10:compile
[INFO] +- io.springfox:springfox-swagger2:jar:2.9.2:compile
[INFO] |  +- io.swagger:swagger-annotations:jar:1.5.20:compile
[INFO] |  +- io.swagger:swagger-models:jar:1.5.20:compile
[INFO] |  +- io.springfox:springfox-spi:jar:2.9.2:compile
[INFO] |  |  \- io.springfox:springfox-core:jar:2.9.2:compile
[INFO] |  |     \- net.bytebuddy:byte-buddy:jar:1.8.12:compile
[INFO] |  +- io.springfox:springfox-schema:jar:2.9.2:compile
[INFO] |  +- io.springfox:springfox-swagger-common:jar:2.9.2:compile
[INFO] |  +- io.springfox:springfox-spring-web:jar:2.9.2:compile
[INFO] |  +- com.fasterxml:classmate:jar:1.3.3:compile
[INFO] |  +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile
[INFO] |  +- org.springframework.plugin:spring-plugin-metadata:jar:1.2.0.RELEASE:compile
[INFO] |  \- org.mapstruct:mapstruct:jar:1.2.0.Final:compile
[INFO] +- io.springfox:springfox-swagger-ui:jar:2.9.2:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.16:provided
[INFO] +- org.yaml:snakeyaml:jar:1.21:compile
[INFO] +- org.springframework:spring-test:jar:4.3.6.RELEASE:compile
[INFO] +- junit:junit:jar:4.12:compile
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] +- io.jsonwebtoken:jjwt:jar:0.9.1:compile
[INFO] \- com.auth0:java-jwt:jar:4.0.0:compile

Suggested solutions:

Update dependency version

Thank you very much.

问题

目前只要带有callback的get请求都会进行Referer判断。
比如 http://localhost:8080/index?callback=123

解决

加一层判断，判断请求是否返回真的Jsonp格式。

joychou93 / java-sec-code Goto Github PK

java-sec-code's Introduction

Java Sec Code

Introduce

Vulnerability Code

Vulnerability Description

How to run

Docker

IDEA

Tomcat

JAR

Authenticate

Login

Logout

RememberMe

Contributors

Donate

Alipay

java-sec-code's People

Contributors

Stargazers

Watchers

Forkers

java-sec-code's Issues

-- MySQL dump 10.13 Distrib 5.7.31, for Linux (x86_64)

-- -- Pedantic, aren't we

-- -- Remove, create user, Super User

-- -- Remove, create database

-- -- Table structure for table users

-- -- Dumping data for table users

原理

问题

解决

Recommend Projects

Recommend Topics

Recommend Org

--
-- Pedantic, aren't we

--
-- Remove, create user, Super User

--
-- Remove, create database

--
-- Table structure for table `users`

--
-- Dumping data for table `users`