Java Web中Word转换器与SSRF风险分析及防护<\/h1>

0x00 前言<\/h2>
在Java Web开发中，Word转PDF是常见功能需求，主要用于合同管理、公文审批、报告生成等业务场景。PDF格式具有跨平台兼容性好、难以篡改、便于存档传播等优势。然而，实现此功能时若对组件库实现细节了解不足，可能引入安全风险，特别是SSRF（Server-Side Request Forgery）漏洞。<\/p>

0x01 常见Word转换器实现方式<\/h2>

1.1 Apache POI + iText<\/h3>

技术组合<\/strong>：Apache POI处理Word文档，iText生成PDF<\/li>

实现代码<\/strong>：<\/li> <\/ul>
public<\/span> static<\/span> void<\/span> convert<\/span>(<\/span>String inputPath,<\/span> String outputPath)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> try<\/span> (<\/span>FileInputStream fis =<\/span> new<\/span> FileInputStream(<\/span>inputPath);<\/span> <\/span><\/span> FileOutputStream fos =<\/span> new<\/span> FileOutputStream(<\/span>outputPath))<\/span> {<\/span> <\/span><\/span> XWPFDocument document =<\/span> new<\/span> XWPFDocument(<\/span>fis);<\/span> <\/span><\/span> Document pdfDoc =<\/span> new<\/span> Document();<\/span> <\/span><\/span> PdfWriter.<\/span>getInstance<\/span>(<\/span>pdfDoc,<\/span> fos);<\/span> <\/span><\/span> pdfDoc.<\/span>open<\/span>();<\/span> <\/span><\/span> <\/span><\/span> for<\/span> (<\/span>XWPFParagraph paragraph :<\/span> document.<\/span>getParagraphs<\/span>())<\/span> {<\/span> <\/span><\/span> String text =<\/span> paragraph.<\/span>getText<\/span>();<\/span> <\/span><\/span> if<\/span> (<\/span>text !=<\/span> null<\/span> &&<\/span> !<\/span>text.<\/span>isEmpty<\/span>())<\/span> {<\/span> <\/span><\/span> pdfDoc.<\/span>add<\/span>(<\/span>new<\/span> Paragraph(<\/span>text));<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> for<\/span> (<\/span>XWPFTable table :<\/span> document.<\/span>getTables<\/span>())<\/span> {<\/span> <\/span><\/span> for<\/span> (<\/span>XWPFTableRow row :<\/span> table.<\/span>getRows<\/span>())<\/span> {<\/span> <\/span><\/span> for<\/span> (<\/span>XWPFTableCell cell :<\/span> row.<\/span>getTableCells<\/span>())<\/span> {<\/span> <\/span><\/span> String cellText =<\/span> cell.<\/span>getText<\/span>();<\/span> <\/span><\/span> pdfDoc.<\/span>add<\/span>(<\/span>new<\/span> Paragraph(<\/span>cellText));<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> pdfDoc.<\/span>close<\/span>();<\/span> <\/span><\/span> document.<\/span>close<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 局限性<\/strong>：不支持图片和复杂样式，性能一般，不适合高质量转换场景<\/li> <\/ul> 1.2 Spire.Doc<\/h3> 特性<\/strong>：专业Java Word组件，无需安装Microsoft Office<\/li> 功能<\/strong>：支持文档创建、读取、编辑、转换、打印等操作<\/li> 实现代码<\/strong>：<\/li> <\/ul> \/\/ 创建Document对象并载入Word文档 <\/span><\/span><\/span><\/span>Document doc =<\/span> new<\/span> Document(<\/span>targetFile);<\/span> <\/span><\/span>\/\/ 将文档保存为PDF格式 <\/span><\/span><\/span><\/span>doc.<\/span>saveToFile<\/span>(<\/span>destFile,<\/span> FileFormat.<\/span>PDF<\/span>);<\/span> <\/span><\/span><\/code><\/pre> 版本<\/strong>：提供商业版和免费版<\/li> <\/ul> 1.3 LibreOffice<\/h3> 特性<\/strong>：功能强大的开源办公软件，支持多种文档格式<\/li> 实现方式<\/strong>：通过命令行调用转换功能<\/li> 示例代码<\/strong>：<\/li> <\/ul> public<\/span> File ConvertDocxToPdf<\/span>(<\/span>String filename)<\/span> throws<\/span> IOException,<\/span> InterruptedException {<\/span> <\/span><\/span> synchronized<\/span> (<\/span>LibreOfficeLock.<\/span>LOCK<\/span>)<\/span> {<\/span> <\/span><\/span> String tempDocxFilePath =<\/span> ".\/"<\/span> +<\/span> filename;<\/span> <\/span><\/span> String outputPdfFileName =<\/span> filename.<\/span>replace<\/span>(<\/span>".docx"<\/span>,<\/span> ".pdf"<\/span>);<\/span> <\/span><\/span> String outputPdfFilePath =<\/span> ".\/"<\/span> +<\/span> outputPdfFileName;<\/span> <\/span><\/span> <\/span><\/span> String[]<\/span> command =<\/span> {<\/span> <\/span><\/span> "libreoffice"<\/span>,<\/span> \/\/ Linux下为libreoffice，macOS下为soffice <\/span><\/span><\/span><\/span> "--headless"<\/span>,<\/span> <\/span><\/span> "--convert-to"<\/span>,<\/span> <\/span><\/span> "pdf"<\/span>,<\/span> <\/span><\/span> "--outdir"<\/span>,<\/span> <\/span><\/span> outputDirectory,<\/span> <\/span><\/span> tempDocxFilePath <\/span><\/span> };<\/span> <\/span><\/span> <\/span><\/span> Process process =<\/span> null<\/span>;<\/span> <\/span><\/span> ProcessBuilder processBuilder =<\/span> new<\/span> ProcessBuilder(<\/span>command);<\/span> <\/span><\/span> process =<\/span> processBuilder.<\/span>start<\/span>();<\/span> <\/span><\/span> int<\/span> exitCode =<\/span> process.<\/span>waitFor<\/span>();<\/span> <\/span><\/span> <\/span><\/span> if<\/span> (<\/span>exitCode !=<\/span> 0<\/span>)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> IOException(<\/span>"Conversion failed: "<\/span> +<\/span> exitCode);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> outputDocxFile;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>其他方案<\/h3> Aspose.Words for Java<\/strong>：功能强大的商业库<\/li> Docx4j + XSL-FO<\/strong>：适合对文档样式有高度定制需求的场景<\/li> <\/ul> 0x02 潜在SSRF风险分析<\/h2> 风险来源<\/h3> 转换组件功能强大，如LibreOffice支持HTML解析，在处理HTML内容（如img标签的URL）时可能触发远程资源请求，若URL访问无严格限制，可能导致SSRF攻击。<\/p> 验证实验<\/h3> 准备恶意HTML文件<\/strong>：<\/li> <\/ol> <\/span><\/span><\/code><\/pre> 使用Spire.Doc转换<\/strong>：<\/li> <\/ol> Document doc =<\/span> new<\/span> Document(<\/span>targetFile);<\/span> <\/span><\/span>doc.<\/span>saveToFile<\/span>(<\/span>destFile,<\/span> FileFormat.<\/span>PDF<\/span>);<\/span> <\/span><\/span><\/code><\/pre> 结果<\/strong>：DNSlog成功接收到请求，证实SSRF风险存在<\/li> <\/ul> LibreOffice测试<\/strong>：同样存在类似行为<\/li> <\/ol> 0x03 常见绕过方式与修复方案<\/h2> 常见检测方式及绕过<\/h3> 后缀名检查<\/strong><\/p> 绕过方法<\/strong>：将HTML文件后缀改为.docx仍可成功解析<\/li> <\/ul> <\/li> 文件类型检测（hotool工具包示例）<\/strong><\/p> 检测原理<\/strong>：通过文件头字节判断文件类型<\/li> 源码分析<\/strong>：<\/li> <\/ul> private<\/span> static<\/span> ContentType getFileType<\/span>(<\/span>byte<\/span>[]<\/span> bytes)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>bytes.<\/span>length<\/span> <<\/span> 14<\/span>)<\/span> {<\/span> <\/span><\/span> return<\/span> ContentType.<\/span>OTHERS<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> byte<\/span>[]<\/span> bytes2 =<\/span> new<\/span> byte<\/span>[<\/span>14<\/span>];<\/span> <\/span><\/span> System.<\/span>arraycopy<\/span>(<\/span>bytes,<\/span> 0<\/span>,<\/span> bytes2,<\/span> 0<\/span>,<\/span> 14<\/span>);<\/span> <\/span><\/span> String fileHexString =<\/span> getFileHexString(<\/span>bytes2);<\/span> <\/span><\/span> fileHexString =<\/span> fileHexString.<\/span>toUpperCase<\/span>();<\/span> <\/span><\/span> <\/span><\/span> if<\/span> (<\/span>fileHexString.<\/span>startsWith<\/span>(<\/span>ContentType.<\/span>DOC<\/span>.<\/span>getFileTitle<\/span>()))<\/span> {<\/span> <\/span><\/span> return<\/span> ContentType.<\/span>DOC<\/span>;<\/span> <\/span><\/span> }<\/span> else<\/span> if<\/span> (<\/span>fileHexString.<\/span>startsWith<\/span>(<\/span>ContentType.<\/span>DOCX<\/span>.<\/span>getFileTitle<\/span>()))<\/span> {<\/span> <\/span><\/span> \/\/ 进一步确认docx：检查是否包含"word\/"内容 <\/span><\/span><\/span><\/span> byte<\/span>[]<\/span> bytes500 =<\/span> new<\/span> byte<\/span>[<\/span>500<\/span>];<\/span> <\/span><\/span> System.<\/span>arraycopy<\/span>(<\/span>bytes,<\/span> bytes.<\/span>length<\/span> -<\/span> 500<\/span>,<\/span> bytes500,<\/span> 0<\/span>,<\/span> 500<\/span>);<\/span> <\/span><\/span> fileHexString =<\/span> getFileHexString(<\/span>bytes500);<\/span> <\/span><\/span> if<\/span> (<\/span>fileHexString.<\/span>contains<\/span>(<\/span>"776f72642f"<\/span>))<\/span> {<\/span> \/\/ "word\/"的十六进制 <\/span><\/span><\/span><\/span> return<\/span> ContentType.<\/span>DOCX<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> ContentType.<\/span>OTHERS<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 绕过方法<\/strong>：伪造文件头（如DOCX文件头为504B0304）<\/li> <\/ul> <\/li> 高级绕过技术<\/strong><\/p> 使用WPS将恶意HTML文件另存为docx格式，可成功绕过多种检测<\/li> <\/ul> <\/li> <\/ol> 修复方案<\/h3> 网络层防护<\/strong><\/p> 使用代理服务或防火墙限制文档转换服务的网络访问权限<\/li> 只允许必要的外部访问，阻断所有内部网络探测行为<\/li> <\/ul> <\/li> 应用层防护<\/strong><\/p> 实施严格的文件类型验证，不仅检查文件头，还应验证文件内容的真实性<\/li> 对转换服务进行沙箱隔离，限制其网络访问能力<\/li> <\/ul> <\/li> 代码审计重点<\/strong><\/p> 重点关注文档解析过程中可能触发外部资源请求的组件<\/li> 积累相关漏洞模式，加强安全检测<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> Word转换功能在Java Web应用中广泛使用，但组件强大的功能背后隐藏着SSRF风险。攻击者可通过构造恶意文档利用转换过程中的外部资源请求功能实施攻击。防护需要从网络隔离、文件验证和多层检测入手，同时开发人员需在代码审计时特别关注此类隐蔽的SSRF风险。<\/p>