From c801a9952cb129059fa169b8996154117e86a7ea Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <23113631+pixeebot@users.noreply.github.com>
Date: Thu, 28 Sep 2023 02:33:39 +0000
Subject: [PATCH] Sandboxed URL creation to prevent SSRF attacks

---
 pom.xml                                           | 15 ++++++++++++++-
 .../java/com/scalesec/vulnado/LinkLister.java     |  4 +++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 9c060040a..f5e539202 100644
--- a/pom.xml
+++ b/pom.xml
@@ -16,6 +16,7 @@
 
 	<properties>
 		<java.version>1.8</java.version>
+		<versions.java-security-toolkit>1.0.7</versions.java-security-toolkit>
 	</properties>
 
 	<dependencies>
@@ -65,6 +66,10 @@
 		    <version>0.10.5</version>
 		    <scope>runtime</scope>
 		</dependency>
+		<dependency>
+			<groupId>io.github.pixee</groupId>
+			<artifactId>java-security-toolkit</artifactId>
+		</dependency>
 	</dependencies>
 
 	<build>
@@ -75,5 +80,13 @@
 			</plugin>
 		</plugins>
 	</build>
-
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>io.github.pixee</groupId>
+				<artifactId>java-security-toolkit</artifactId>
+				<version>${versions.java-security-toolkit}</version>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
 </project>
diff --git a/src/main/java/com/scalesec/vulnado/LinkLister.java b/src/main/java/com/scalesec/vulnado/LinkLister.java
index a59ebeb24..27afc0ddb 100644
--- a/src/main/java/com/scalesec/vulnado/LinkLister.java
+++ b/src/main/java/com/scalesec/vulnado/LinkLister.java
@@ -1,5 +1,7 @@
 package com.scalesec.vulnado;
 
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
 import org.jsoup.Jsoup;
 import org.jsoup.nodes.Document;
 import org.jsoup.nodes.Element;
@@ -23,7 +25,7 @@ public static List<String> getLinks(String url) throws IOException {
 
   public static List<String> getLinksV2(String url) throws BadRequest {
     try {
-      URL aUrl= new URL(url);
+      URL aUrl= Urls.create(url, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS);
       String host = aUrl.getHost();
       System.out.println(host);
       if (host.startsWith("172.") || host.startsWith("192.168") || host.startsWith("10.")){