Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: invorrect access control vuInerability #90

Merged
merged 1 commit into from
Nov 12, 2024
Merged

fix: invorrect access control vuInerability #90

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 13 additions & 5 deletions src/main/java/cn/luischen/interceptor/BaseInterceptor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,13 +59,13 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
if (null == user) {
Integer uid = TaleUtils.getCookieUid(request);
if (null != uid) {
// 这里还是有安全隐患, cookie 是可以伪造的
// Cookie 可以伪造,因此要注意
user = userService.getUserInfoById(uid);
request.getSession().setAttribute(WebConst.LOGIN_SESSION_KEY, user);
}
}

// 如果是以 /admin 开头并且不是特定的静态资源文件,则要求认证
// 需要认证的路径,不包括静态资源和登录页面
if (uri.startsWith("/admin")
&& !uri.startsWith("/admin/login")
&& null == user
Expand All @@ -75,13 +75,13 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
return false;
}

// 设置 CSRF token 并要求对敏感操作进行校验
// 设置 CSRF token,仅对敏感操作进行 CSRF 校验
if ("GET".equalsIgnoreCase(request.getMethod())) {
String csrfToken = UUID.UU64();
// 默认存储30分钟
cache.hset(Types.CSRF_TOKEN.getType(), csrfToken, uri, 30 * 60);
request.setAttribute("_csrf_token", csrfToken);
} else if ("POST".equalsIgnoreCase(request.getMethod())) {
} else if ("POST".equalsIgnoreCase(request.getMethod()) && isSensitiveOperation(uri)) {
// 检查 POST 请求的 CSRF token
String csrfToken = request.getParameter("_csrf_token");
String expectedUri = cache.hget(Types.CSRF_TOKEN.getType(), csrfToken);
Expand All @@ -96,14 +96,22 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
}

/**
* 检查是否为静态资源文件,避免对静态资源文件进行认证
* 检查是否为静态资源文件
*/
private boolean isStaticResource(String uri) {
return uri.startsWith("/admin/css") || uri.startsWith("/admin/images")
|| uri.startsWith("/admin/js") || uri.startsWith("/admin/plugins")
|| uri.startsWith("/admin/editormd");
}

/**
* 检查是否为敏感操作路径(例如:删除、更新等操作)
*/
private boolean isSensitiveOperation(String uri) {
return uri.contains("/delete") || uri.contains("/update") || uri.contains("/create");
}



@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {
Expand Down
Loading