You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@servicecomb.apache.org by GitBox <gi...@apache.org> on 2021/09/18 04:14:30 UTC

[GitHub] [servicecomb-java-chassis] nonehat opened a new issue #2591: serviceComb里没有API获取归一化之后的URL/URI，容易导致安全漏洞

nonehat opened a new issue #2591:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2591


   serviceComb里获取URI的方式是 io.vertx.core.http.HttpServerRequest.path() —— 而该种方式获取到的URI是未经归一化的。即，r若请求的URI为经过构建的畸形URI，如/cloud/api/v2/aaaa//////././../bbbb/../cccc，request.path()获取到的是原始值/cloud/api/v2/aaaa//////././../bbbb/../cccc，而非归一化之后的URI  /cloud/api/v2/aaaa/cccc。
   
   request.path() 获取到的URI作为访问控制的依据时会出现安全漏洞。例如，如下代码本意对 /cloud/api/v2/getFlag 需要鉴权而后返回falg。
   // Filter代码
   if (request.path().equals("/cloud/api/v2/getFlag")) {
       // 鉴权代码
   } 
   
   // 业务代码
   @RequstMapping("/cloud/api/v2/getFlag")
   public String flag() {
       return "congrats_this_is_the_flag_4_u";
   }
   
   但是可以绕过鉴权获取flag：当请求URI为 /cloud/api/v2///////getFlag是可以绕过鉴权，但是又可以将请求路由到flag()函数返回flag。
   
   搜索serviceComb API之后未找到可以获取归一化URI/URL的API，而在Spring框架中存在类似的API：
   String uri = request.getContextPath() + request.getServletPath() + request.getPathInfo();
   
   **希望serviceComb可以实现类似功能的API，避免开发人员在关键场景误用path()导致安全漏洞。**


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] nonehat commented on issue #2591: serviceComb里没有API获取归一化之后的URL/URI，容易导致安全漏洞

Posted by GitBox <gi...@apache.org>.

nonehat commented on issue #2591:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2591#issuecomment-924537961


   Vertx vertx = io.vertx.core.Vertx.vertx();
   // 创建一个HttpServer
   HttpServer server = vertx.createHttpServer();
   server.requestHandler(request -> {
       String uri = request.path();
   	// others
   }
   server.listen(8888);


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] liubao68 commented on issue #2591: serviceComb里没有API获取归一化之后的URL/URI，容易导致安全漏洞

Posted by GitBox <gi...@apache.org>.

liubao68 commented on issue #2591:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2591#issuecomment-924536003


   你没有理解我的意思。 主要是描述下是如何获取到HttpServerRequest对象，并读取path的。 比如 Handler? HttpServerFilter？ 
   如果你是基于vert.x API做的扩展， 那么这个issue可能不适合java-chassis。 
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] liubao68 commented on issue #2591: serviceComb里没有API获取归一化之后的URL/URI，容易导致安全漏洞

Posted by GitBox <gi...@apache.org>.

liubao68 commented on issue #2591:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2591#issuecomment-924540098


   这是原始的vert.x API， 可能更加适合在 https://github.com/eclipse-vertx/vert.x 提交issue。 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] nonehat commented on issue #2591: serviceComb里没有API获取归一化之后的URL/URI，容易导致安全漏洞

Posted by GitBox <gi...@apache.org>.

nonehat commented on issue #2591:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2591#issuecomment-924520032


   String uri = io.vertx.core.http.HttpServerRequest.path() ;
   然后依赖uri做访问控制，比如针对特定的uri需要检查是否为admin访问：
   if (uri.equals("/api/v2/admin/only")) {
       // 检查请求的cookie对应是否为admin
      // 若是，则放行；否则，拒绝。
   }
   
   这种case，将请求uri修改为 /api/v2/admin/////////only 就可以bypass这个检查，同时可以正常dispatch到handler。


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] liubao68 commented on issue #2591: serviceComb里没有API获取归一化之后的URL/URI，容易导致安全漏洞

Posted by GitBox <gi...@apache.org>.

liubao68 commented on issue #2591:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2591#issuecomment-924511512


   java chassis并没有提供vert.x API 给业务使用， `io.vertx.core.http.HttpServerRequest.path() ` 是在什么场景下使用？ 比如哪个扩展点，能否给一些详细的描述。 
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org