From 7506a03167ea379df509958c2aaf9ebc47d9e625 Mon Sep 17 00:00:00 2001
From: CaptainB <bin@fit2cloud.com>
Date: Wed, 16 Mar 2022 18:51:09 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E7=A6=81=E7=94=A8TRACE/TRACK=E6=96=B9?=
 =?UTF-8?q?=E6=B3=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

--bug=1011291 --user=刘瑞斌 [BUG]github#11510ms-node-controlle组件的http请求默认未禁用TRACE/TRACK方法，存在安全风险，请修复 https://www.tapd.cn/55049933/s/1119268

Closes #11510
---
 .../src/main/java/io/metersphere/config/HTTPSConfig.java   | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/backend/src/main/java/io/metersphere/config/HTTPSConfig.java b/backend/src/main/java/io/metersphere/config/HTTPSConfig.java
index 9a4b267c4d..894977bec8 100644
--- a/backend/src/main/java/io/metersphere/config/HTTPSConfig.java
+++ b/backend/src/main/java/io/metersphere/config/HTTPSConfig.java
@@ -3,6 +3,8 @@ package io.metersphere.config;
 
 import io.undertow.Undertow;
 import io.undertow.UndertowOptions;
+import io.undertow.server.handlers.DisallowedMethodsHandler;
+import io.undertow.util.HttpString;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory;
@@ -45,6 +47,11 @@ public class HTTPSConfig {
 //                            .setEmptyRoleSemantic(SecurityInfo.EmptyRoleSemantic.PERMIT))
 //                    .setConfidentialPortManager(exchange -> httpsPort);
 //        });
+        // 禁用 TRACE 和 TRACK
+        undertowFactory.addDeploymentInfoCustomizers(deploymentInfo -> deploymentInfo.addInitialHandlerChainWrapper(handler -> {
+            HttpString[] disallowedHttpMethods = {HttpString.tryFromString("TRACE"), HttpString.tryFromString("TRACK")};
+            return new DisallowedMethodsHandler(handler, disallowedHttpMethods);
+        }));
         return undertowFactory;
     }