From d65b0e83b91d86c61a82cf383c73ba70bb5864f0 Mon Sep 17 00:00:00 2001
From: WinterChenS <1085143002@qq.com>
Date: Tue, 12 Nov 2024 12:07:09 +0800
Subject: [PATCH] fix: invorrect access control vuInerability

---
 .../luischen/interceptor/BaseInterceptor.java  | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/main/java/cn/luischen/interceptor/BaseInterceptor.java b/src/main/java/cn/luischen/interceptor/BaseInterceptor.java
index 81c1b16..978c8da 100644
--- a/src/main/java/cn/luischen/interceptor/BaseInterceptor.java
+++ b/src/main/java/cn/luischen/interceptor/BaseInterceptor.java
@@ -59,13 +59,13 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
         if (null == user) {
             Integer uid = TaleUtils.getCookieUid(request);
             if (null != uid) {
-                // 这里还是有安全隐患, cookie 是可以伪造的
+                // Cookie 可以伪造，因此要注意
                 user = userService.getUserInfoById(uid);
                 request.getSession().setAttribute(WebConst.LOGIN_SESSION_KEY, user);
             }
         }
 
-        // 如果是以 /admin 开头并且不是特定的静态资源文件，则要求认证
+        // 需要认证的路径，不包括静态资源和登录页面
         if (uri.startsWith("/admin")
                 && !uri.startsWith("/admin/login")
                 && null == user
@@ -75,13 +75,13 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
             return false;
         }
 
-        // 设置 CSRF token 并要求对敏感操作进行校验
+        // 设置 CSRF token，仅对敏感操作进行 CSRF 校验
         if ("GET".equalsIgnoreCase(request.getMethod())) {
             String csrfToken = UUID.UU64();
             // 默认存储30分钟
             cache.hset(Types.CSRF_TOKEN.getType(), csrfToken, uri, 30 * 60);
             request.setAttribute("_csrf_token", csrfToken);
-        } else if ("POST".equalsIgnoreCase(request.getMethod())) {
+        } else if ("POST".equalsIgnoreCase(request.getMethod()) && isSensitiveOperation(uri)) {
             // 检查 POST 请求的 CSRF token
             String csrfToken = request.getParameter("_csrf_token");
             String expectedUri = cache.hget(Types.CSRF_TOKEN.getType(), csrfToken);
@@ -96,7 +96,7 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
     }
 
     /**
-     * 检查是否为静态资源文件，避免对静态资源文件进行认证
+     * 检查是否为静态资源文件
      */
     private boolean isStaticResource(String uri) {
         return uri.startsWith("/admin/css") || uri.startsWith("/admin/images")
@@ -104,6 +104,14 @@ private boolean isStaticResource(String uri) {
                 || uri.startsWith("/admin/editormd");
     }
 
+    /**
+     * 检查是否为敏感操作路径（例如：删除、更新等操作）
+     */
+    private boolean isSensitiveOperation(String uri) {
+        return uri.contains("/delete") || uri.contains("/update") || uri.contains("/create");
+    }
+
+
 
     @Override
     public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {