fix: 禁用TRACE/TRACK方法

--bug=1011291 --user=刘瑞斌 [BUG]github#11510ms-node-controlle组件的http请求默认未禁用TRACE/TRACK方法,存在安全风险,请修复 https://www.tapd.cn/55049933/s/1119268

Closes #11510
This commit is contained in:
CaptainB 2022-03-16 18:51:09 +08:00 committed by 刘瑞斌
parent 2075838435
commit 7506a03167
1 changed files with 7 additions and 0 deletions

View File

@ -3,6 +3,8 @@ package io.metersphere.config;
import io.undertow.Undertow;
import io.undertow.UndertowOptions;
import io.undertow.server.handlers.DisallowedMethodsHandler;
import io.undertow.util.HttpString;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory;
@ -45,6 +47,11 @@ public class HTTPSConfig {
// .setEmptyRoleSemantic(SecurityInfo.EmptyRoleSemantic.PERMIT))
// .setConfidentialPortManager(exchange -> httpsPort);
// });
// 禁用 TRACE TRACK
undertowFactory.addDeploymentInfoCustomizers(deploymentInfo -> deploymentInfo.addInitialHandlerChainWrapper(handler -> {
HttpString[] disallowedHttpMethods = {HttpString.tryFromString("TRACE"), HttpString.tryFromString("TRACK")};
return new DisallowedMethodsHandler(handler, disallowedHttpMethods);
}));
return undertowFactory;
}