fix: Prevent SSRF via SMTP host configuration

fit2-zhao · fit2-zhao · commit 9550ea545838 · 2026-04-24T11:16:24.000+08:00
diff --git a/backend/crm/src/main/java/cn/cordys/crm/system/dto/response/EmailDTO.java b/backend/crm/src/main/java/cn/cordys/crm/system/dto/response/EmailDTO.java
@@ -7,6 +7,7 @@
 public class EmailDTO {
     //SMTP 主机
     @Schema(description = "SMTP 主机")
+    @SafeHost(message = "{ip_address.not_allowed}")
     private String host;
     //SMTP 端口
     @Schema(description = "SMTP 端口")
diff --git a/backend/crm/src/main/java/cn/cordys/crm/system/dto/response/SafeHost.java b/backend/crm/src/main/java/cn/cordys/crm/system/dto/response/SafeHost.java
@@ -0,0 +1,16 @@
+package cn.cordys.crm.system.dto.response;
+
+import jakarta.validation.Constraint;
+import jakarta.validation.Payload;
+
+import java.lang.annotation.*;
+
+@Documented
+@Constraint(validatedBy = SafeHostValidator.class)
+@Target({ElementType.FIELD})
+@Retention(RetentionPolicy.RUNTIME)
+public @interface SafeHost {
+    String message() default "不允许使用内网或保留地址";
+    Class<?>[] groups() default {};
+    Class<? extends Payload>[] payload() default {};
+}
diff --git a/backend/crm/src/main/java/cn/cordys/crm/system/dto/response/SafeHostValidator.java b/backend/crm/src/main/java/cn/cordys/crm/system/dto/response/SafeHostValidator.java
@@ -0,0 +1,74 @@
+package cn.cordys.crm.system.dto.response;
+
+import jakarta.validation.ConstraintValidator;
+import jakarta.validation.ConstraintValidatorContext;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.Arrays;
+import java.util.List;
+
+public class SafeHostValidator implements ConstraintValidator<SafeHost, String> {
+
+    private static final List<String> BLOCKED_CIDRS = Arrays.asList(
+            "10.0.0.0/8",
+            "172.16.0.0/12",
+            "192.168.0.0/16",
+            "127.0.0.0/8",
+            "169.254.0.0/16",
+            "0.0.0.0/8",
+            "100.64.0.0/10",
+            "224.0.0.0/4",
+            "::1/128",
+            "fe80::/10",
+            "fc00::/7"
+    );
+
+    @Override
+    public boolean isValid(String host, ConstraintValidatorContext context) {
+        if (host == null || host.isEmpty()) {
+            return true; // 由 @NotNull 控制
+        }
+        try {
+            InetAddress addr = InetAddress.getByName(host);
+            return !isBlocked(addr);
+        } catch (UnknownHostException e) {
+            // 无法解析的域名一律放行？建议拒绝，因为可能被用来绕过（可改为 return false）
+            return false;
+        }
+    }
+
+    private boolean isBlocked(InetAddress addr) {
+        for (String cidr : BLOCKED_CIDRS) {
+            if (matchesCIDR(addr, cidr)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private boolean matchesCIDR(InetAddress addr, String cidr) {
+        try {
+            String[] parts = cidr.split("/");
+            InetAddress network = InetAddress.getByName(parts[0]);
+            int prefix = Integer.parseInt(parts[1]);
+            byte[] addrBytes = addr.getAddress();
+            byte[] networkBytes = network.getAddress();
+            if (addrBytes.length != networkBytes.length) return false;
+
+            int fullBytes = prefix / 8;
+            int remainingBits = prefix % 8;
+
+            for (int i = 0; i < fullBytes; i++) {
+                if (addrBytes[i] != networkBytes[i]) return false;
+            }
+            if (remainingBits > 0 && fullBytes < addrBytes.length) {
+                int mask = (0xFF << (8 - remainingBits)) & 0xFF;
+                return (addrBytes[fullBytes] & mask) == (networkBytes[fullBytes] & mask);
+            }
+            return true;
+        } catch (Exception e) {
+            return false;
+        }
+    }
+}
diff --git a/backend/crm/src/main/java/cn/cordys/crm/system/job/NotifyOnJob.java b/backend/crm/src/main/java/cn/cordys/crm/system/job/NotifyOnJob.java
@@ -32,7 +32,7 @@ public void onEvent() {
         try {
             this.addNotification();
         } catch (Exception e) {
-            log.error("公告通知异常: ", e.getMessage());
+            log.error("公告通知异常: {}", e.getMessage());
         }
     }
 
diff --git a/backend/crm/src/main/resources/i18n/cordys-crm_en_US.properties b/backend/crm/src/main/resources/i18n/cordys-crm_en_US.properties
@@ -828,3 +828,4 @@ order.stage.pending_acceptance=Pending acceptance
 order.stage.completed=Completed
 order.stage.voided=Voided
 order.number.length.exceed=Please reconfigure the generation rule if the line number is longer than 50 characters!
+ip_address.not_allowed=The IP address cannot be an intranet or reserved address!
diff --git a/backend/crm/src/main/resources/i18n/cordys-crm_zh_CN.properties b/backend/crm/src/main/resources/i18n/cordys-crm_zh_CN.properties
diff --git a/backend/crm/src/test/java/cn/cordys/crm/system/controller/OrganizationSettingsControllerTests.java b/backend/crm/src/test/java/cn/cordys/crm/system/controller/OrganizationSettingsControllerTests.java

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ public void onEvent() {`
`32`	`32`	`try {`
`33`	`33`	`this.addNotification();`
`34`	`34`	`} catch (Exception e) {`
`35`		`- log.error("公告通知异常: ", e.getMessage());`
	`35`	`+ log.error("公告通知异常: {}", e.getMessage());`
`36`	`36`	`}`
`37`	`37`	`}`
`38`	`38`