【发布时间】:2021-02-24 20:04:00
【问题描述】:
一家安全公司已将我们的 Spring Boot 2.3.4 应用程序标记为在发送 HTTP TRACE 请求时返回的错误响应。我们正在使用默认情况下已经禁用 HTTP TRACE 的 Tomcat 容器,但是响应确实包含 TRACE 信息。这是输出:
$ curl -k -i -X TRACE --cookie "VULNERABLE=Yes" http://localhost:9090
HTTP/1.1 405
Allow: HEAD, DELETE, POST, GET, OPTIONS, PUT
Content-Type: message/http
Content-Length: 116
Date: Fri, 16 Oct 2020 20:41:51 GMT
TRACE /error HTTP/1.1
host: localhost:9090
user-agent: curl/7.64.1
accept: */*
cookie: VULNERABLE=Yes
我能够改变这一点的唯一方法是在使用“@Configuration”注释的配置类中使用此代码启用 HTTP TRACE 请求:
@Bean
public WebServerFactoryCustomizer<TomcatServletWebServerFactory> tomcatCustomizer() {
return customizer -> customizer.addConnectorCustomizers(connector -> {
connector.setAllowTrace(true); // filtered in the SecurityFilter with custom error
});
}
然后我添加了一个 servlet 过滤器来拦截请求并返回自定义响应:
@Component
@Order(1)
public class SecurityFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
if (HttpMethod.TRACE.name().equals(request.getMethod())) {
// trace not allowed
HttpServletResponse response = (HttpServletResponse) servletResponse;
response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
response.setContentType("message/http");
response.getWriter().println("TRACE method not allowed");
response.getWriter().flush();
return;
}
filterChain.doFilter(servletRequest,servletResponse);
}
@Override
public void destroy() {
}
}
来自同一个 curl 请求的响应是:
HTTP/1.1 405
Content-Type: message/http;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 12 Nov 2020 19:11:13 GMT
TRACE method not allowed
有没有人遇到过类似的问题?似乎启用跟踪只是为了能够更改响应正文不是一个好主意。
【问题讨论】:
-
在 Spring Boot 中有 3 种方法可以做到这一点,请查看 stackoverflow.com/questions/42367975/…
标签: java spring-boot