From 3392ae6cb3354de17d209062edb3246dec1d54dc Mon Sep 17 00:00:00 2001
From: "Captain.B" <bin@fit2cloud.com>
Date: Thu, 11 Mar 2021 11:47:20 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20socket=20=E9=93=BE=E6=8E=A5=E4=B8=8D?=
 =?UTF-8?q?=E7=94=A8=E7=BB=8F=E8=BF=87csrf?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../java/io/metersphere/commons/utils/ShiroUtils.java    | 4 ++++
 .../src/main/java/io/metersphere/config/ShiroConfig.java | 9 +++------
 .../main/java/io/metersphere/security/CsrfFilter.java    | 6 ++++++
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/backend/src/main/java/io/metersphere/commons/utils/ShiroUtils.java b/backend/src/main/java/io/metersphere/commons/utils/ShiroUtils.java
index e48a56c994..18c222d1ba 100644
--- a/backend/src/main/java/io/metersphere/commons/utils/ShiroUtils.java
+++ b/backend/src/main/java/io/metersphere/commons/utils/ShiroUtils.java
@@ -44,6 +44,10 @@ public class ShiroUtils {
 //        filterChainDefinitionMap.put("/document/**", "anon");
     }
 
+    public static void ignoreCsrfFilter(Map<String, String> filterChainDefinitionMap) {
+        filterChainDefinitionMap.put("/", "apikey, authc"); // 跳转到 / 不用校验 csrf
+    }
+
     public static Cookie getSessionIdCookie(){
         SimpleCookie sessionIdCookie = new SimpleCookie();
         sessionIdCookie.setPath("/");
diff --git a/backend/src/main/java/io/metersphere/config/ShiroConfig.java b/backend/src/main/java/io/metersphere/config/ShiroConfig.java
index 9e8aefce18..4755bbe8d4 100644
--- a/backend/src/main/java/io/metersphere/config/ShiroConfig.java
+++ b/backend/src/main/java/io/metersphere/config/ShiroConfig.java
@@ -47,18 +47,15 @@ public class ShiroConfig implements EnvironmentAware {
         shiroFilterFactoryBean.getFilters().put("apikey", new ApiKeyFilter());
         shiroFilterFactoryBean.getFilters().put("csrf", new CsrfFilter());
         Map<String, String> filterChainDefinitionMap = shiroFilterFactoryBean.getFilterChainDefinitionMap();
+
         ShiroUtils.loadBaseFilterChain(filterChainDefinitionMap);
 
-        ignoreCsrfFilter(filterChainDefinitionMap);
+        ShiroUtils.ignoreCsrfFilter(filterChainDefinitionMap);
+
         filterChainDefinitionMap.put("/**", "apikey, csrf, authc");
         return shiroFilterFactoryBean;
     }
 
-    private void ignoreCsrfFilter(Map<String, String> filterChainDefinitionMap) {
-        filterChainDefinitionMap.put("/", "apikey, authc"); // 跳转到 / 不用校验 csrf
-        filterChainDefinitionMap.put("/performance/report/*", "apikey, authc"); // socket 不用校验 csrf
-    }
-
     @Bean(name = "shiroFilter")
     public FilterRegistrationBean<Filter> shiroFilter(ShiroFilterFactoryBean shiroFilterFactoryBean) throws Exception {
         FilterRegistrationBean<Filter> registration = new FilterRegistrationBean<>();
diff --git a/backend/src/main/java/io/metersphere/security/CsrfFilter.java b/backend/src/main/java/io/metersphere/security/CsrfFilter.java
index a426c14d35..ea21966c4b 100644
--- a/backend/src/main/java/io/metersphere/security/CsrfFilter.java
+++ b/backend/src/main/java/io/metersphere/security/CsrfFilter.java
@@ -32,6 +32,12 @@ public class CsrfFilter extends AnonymousFilter {
         if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request))) {
             return true;
         }
+        // websocket 不需要csrf
+        String websocketKey = httpServletRequest.getHeader("Sec-WebSocket-Key");
+        if (StringUtils.isNotBlank(websocketKey)) {
+            return true;
+        }
+
         // 请求头取出的token value
         String csrfToken = httpServletRequest.getHeader(TOKEN_NAME);
         // 校验 token