java_sec_code_v20200407

• Added Hook Socket function to solve SSRF DNS Rebinding bypass;
• Fixed the bug that SSRF solution can cause DOS problem;
• Fixed the bug that SSRF's internal network blacklist IP can be bypassed by 127.0.0.1;
• Add the function of package uploading to dockerhub;
• Added RCE vulnerability caused by xstream;
• Added code injection vulnerability;
• Added XXE vulnerability caused by XMLReader;
• Added XXE vulnerability caused by DocumentHelper;
• Added XXE vulnerability caused by poi-ooxml and xlsx-streamer;
• Added JSON hijacking vulnerability caused by MappingJackson2JsonView;
• Added Cors vulnerability code, and provide solution for verifying first-level domain names;
• Added SSRF vulnerability caused by IOUtils and Jsoup;
• Added Mybatis SQL injection vulnerability;
• Added the security verification function of Content-Type for file upload;
• Added the function of jumping to the page before login after login;
• Added the security verification function of Ojbect automatically transferring to Jsonp;
• Add relevant code for obtaining cookies;
• Added getRequestURI () to cause permission bypass vulnerability;
• Added storage XSS vulnerability;
• The security configuration of SSRF and URL is changed from code to XML;

---

• 新增Hook Socket功能解决SSRF DNS Rebinding绕过；
• 修复SSRF解决方案可导致DOS问题的bug；
• 修复SSRF的内网黑名单IP可被127.0.0.1绕过的bug；
• 新增应用打包上传到dockerhub功能；
• 新增xstream导致的RCE漏洞；
• 新增代码注入漏洞；
• 新增XMLReader导致的XXE漏洞；
• 新增DocumentHelper导致的XXE漏洞；
• 新增poi-ooxml和xlsx-streamer导致的XXE漏洞；
• 新增MappingJackson2JsonView导致的JSON劫持漏洞；
• 新增多处造成Cors的漏洞代码，并提供校验一级域名(默认只支持多级域名)防御方案；
• 新增IOUtils和Jsoup导致的SSRF漏洞；
• 新增Mybatis SQL注入漏洞；
• 新增文件上传对Content-Type的安全校验功能；
• 新增页面登录后跳转到登录前的页面功能；
• 新增Ojbect自动转Jsonp的安全校验功能；
• 新增Cookie获取的相关方式代码；
• 新增getRequestURI()导致权限绕过漏洞；
• 新增存储型XSS漏洞；
• SSRF和URL的安全配置从代码里变成XML里获取；