• springboot springcloud gateway 中的 undertow 禁止接收trace请求(修复漏洞)

    1.定义两个类:
    CustomHttpHandler.java

    import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.StatusCodes;

public class CustomHttpHandler implements HttpHandler {
    private final HttpHandler next;

    public CustomHttpHandler(HttpHandler next) {
        this.next = next;
    }

    @Override
    public void handleRequest(HttpServerExchange exchange) throws Exception {
        if ("TRACE".equals(exchange.getRequestMethod().toString())) {
            exchange.setStatusCode(StatusCodes.FORBIDDEN);
            exchange.endExchange();
            return;
        }
        // 其他处理逻辑
        next.handleRequest(exchange);
    }
}

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22

    UndertowConfigCustomizer.java

    import org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.stereotype.Component;

@Component
public class UndertowConfigCustomizer implements WebServerFactoryCustomizer {
    @Override
    public void customize(UndertowServletWebServerFactory factory) {
        factory.addDeploymentInfoCustomizers(deploymentInfo ->
                deploymentInfo.addInitialHandlerChainWrapper(httpHandler -> new CustomHttpHandler(httpHandler))
        );
    }
}

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13

    但是对于spring cloud gateway 网关服务 还需要单独定义过滤器,才能修复
    DisableTraceFilter.java

    import io.netty.handler.codec.http.HttpMethod;
import org.springframework.core.Ordered;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

@Component
public class DisableTraceFilter implements WebFilter, Ordered {

    @Override
    public int getOrder() {
        // 确保此过滤器优先于其他过滤器
        return Integer.MIN_VALUE;
    }

    @Override
    public Mono filter(ServerWebExchange exchange, WebFilterChain chain) {
        if (HttpMethod.TRACE.name().equals(exchange.getRequest().getMethod().name())) {
            // 返回403禁止访问
            exchange.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
            return exchange.getResponse().setComplete();
        }
        return chain.filter(exchange);
    }
}

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
  • 相关阅读:
    推荐一个基于.NET Core 3.1开发开源的分布式任务调度系统
    每日刷题(第四天)
    Feign都做了什么
    程序员的悲哀
    汽车电源高压互锁(HVIL)
    上传代码到GitHub仓库
    泰山OFFICE技术讲座:上标研究2:上标的大小
    【动态规划】leetcode 62. 不同路径
    4步教你做一个煤气安全提示神器
    【毕业设计】21-基于单片机的智能恒温箱_温度报警装置设计(原理图+仿真+源代码+答辩论文+答辩PPT)
  • 原文地址:https://blog.csdn.net/qq_33399709/article/details/137972663