Java 如何避免这种声纳安全违规'；安全性-URLConnection服务器端请求伪造（SSRF）和文件泄露'；？

我按照这里的指示走

以及从这里

这两种解决方案都无法消除该漏洞

我不知道还能做什么。任何想法，甚至是错误的指针

我的代码有安全违规

,

,

注意findFqdnForVM从我们端保存的状态文件中获取url。

这是我修复它的失败尝试

'''

'''

我不确定这里有什么危险，我查看了一个只有一个端点的白名单。这怎么可能不安全呢

String vmUrl = TerraformStateService.findFqdnForVM(Long.parseLong(subid), workspace, vmName);
String jupyterUrl = vmUrl + "/hub";
URL url = new URL(jupyterUrl);

try {
    HttpURLConnection httpConnection = (HttpURLConnection) url.openConnection();
    try {
        SSLService.setupSSL(keystoreCred, httpConnection);
        httpConnection.setRequestMethod("GET");
        if (httpConnection.getResponseCode() == 200 || httpConnection.getResponseCode() == 403) {
            return true;
        }
    } finally {
        httpConnection.disconnect();
    }

String str = TerraformStateService.findFqdnForVM(Long.parseLong(subid), workspace, vmName);
try {
if (!str.startsWith(CommonConstants.URL_PREFIX_WHITELIST)){
    throw new Exception();
}
if (!str.endsWith(CommonConstants.URL_WHITELIST)){
    throw new Exception();
}
URL url = new URL(str);
if(!url.getProtocol().startsWith("http"))
    throw new Exception();
if (!url.getHost().equalsIgnoreCase(CommonConstants.URL_WHITELIST)){
    throw new Exception();
}
if (!url.getAuthority().equalsIgnoreCase(CommonConstants.URL_WHITELIST)) {
    throw new Exception();
}
InetAddress inetAddress = InetAddress.getByName(url.getHost());
if(inetAddress.isAnyLocalAddress() || inetAddress.isLoopbackAddress() || inetAddress.isLinkLocalAddress())
    throw new Exception();
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setInstanceFollowRedirects(false);
conn.connect();
try {
    SSLService.setupSSL(keystoreCred, conn);
    conn.setRequestMethod("GET");
    if (conn.getResponseCode() == 200 || conn.getResponseCode() == 403) {
        return true;
    }
} finally {
    conn.disconnect();
}