test-version22
/
MeterSphere
mirror of https://gitee.com/fit2cloud-feizhiyun/MeterSphere.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix: 校验origin, 有些socket请求不安全

This commit is contained in:
CaptainB 2023-10-13 14:17:59 +08:00 committed by 刘瑞斌
parent 466ca2fb3e
commit 1004753a48
1 changed files with 25 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
backend/src/main/java/io/metersphere/security/CsrfFilter.java
View File

@ -37,6 +37,12 @@ public class CsrfFilter extends AnonymousFilter {
if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request))) { if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request))) {
return true; return true;
} }
// 校验 referer
validateReferer(httpServletRequest);
// 校验 origin
validateOrigin(httpServletRequest);
// websocket 不需要csrf // websocket 不需要csrf
String websocketKey = httpServletRequest.getHeader("Sec-WebSocket-Key"); String websocketKey = httpServletRequest.getHeader("Sec-WebSocket-Key");
if (StringUtils.isNotBlank(websocketKey)) { if (StringUtils.isNotBlank(websocketKey)) {
@ -47,11 +53,27 @@ public class CsrfFilter extends AnonymousFilter {
String csrfToken = httpServletRequest.getHeader(TOKEN_NAME); String csrfToken = httpServletRequest.getHeader(TOKEN_NAME);
// 校验 token // 校验 token
validateToken(csrfToken); validateToken(csrfToken);
// 校验 referer
validateReferer(httpServletRequest);
return true; return true;
} }
private void validateOrigin(HttpServletRequest httpServletRequest) {
Environment env = CommonBeanFactory.getBean(Environment.class);
String domains = env.getProperty("origin.urls");
if (StringUtils.isBlank(domains)) {
// 没有配置不校验
return;
}
String[] split = StringUtils.split(domains, ",");
String origin = httpServletRequest.getHeader(HttpHeaders.ORIGIN);
if (split != null) {
if (!ArrayUtils.contains(split, origin)) {
throw new RuntimeException("csrf origin error");
}
}
}
private void validateReferer(HttpServletRequest request) { private void validateReferer(HttpServletRequest request) {
Environment env = CommonBeanFactory.getBean(Environment.class); Environment env = CommonBeanFactory.getBean(Environment.class);
String domains = env.getProperty("referer.urls"); String domains = env.getProperty("referer.urls");
@ -64,7 +86,7 @@ public class CsrfFilter extends AnonymousFilter {
String referer = request.getHeader(HttpHeaders.REFERER); String referer = request.getHeader(HttpHeaders.REFERER);
if (split != null) { if (split != null) {
if (!ArrayUtils.contains(split, referer)) { if (!ArrayUtils.contains(split, referer)) {
throw new RuntimeException("csrf error"); throw new RuntimeException("csrf referer error");
} }
} }
} }