Fix code scanning alert no. 351: Server-side request forgery

CoPilot AI generated patch Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Tailormap · Nov 12, 2024 · b7c6ee2 · b7c6ee2
1 parent ef324ba
commit b7c6ee2
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/src/main/java/org/tailormap/api/controller/GeoServiceProxyController.java b/src/main/java/org/tailormap/api/controller/GeoServiceProxyController.java
@@ -164,6 +164,10 @@ public ResponseEntity<?> proxy(
   private URI buildWMSUrl(GeoService service, HttpServletRequest request) {
     final UriComponentsBuilder originalServiceUrl =
         UriComponentsBuilder.fromHttpUrl(service.getUrl());
+    // Validate the service URL against allowed domains
+    if (!isValidDomain(service.getUrl())) {
+      throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Invalid service URL");
+    }
     // request.getParameterMap() includes parameters from an application/x-www-form-urlencoded POST
     // body
     final MultiValueMap<String, String> requestParams =
@@ -264,4 +268,19 @@ private static ResponseEntity<?> doProxy(
       return ResponseEntity.status(HttpStatus.BAD_GATEWAY).body("Bad Gateway");
     }
   }
+
+  private static final List<String> ALLOWED_DOMAINS = List.of(
+      "example.com",
+      "another-example.com"
+  );
+
+  private boolean isValidDomain(String url) {
+    try {
+      URI uri = new URI(url);
+      String host = uri.getHost();
+      return ALLOWED_DOMAINS.stream().anyMatch(host::endsWith);
+    } catch (Exception e) {
+      return false;
+    }
+  }
 }