springboot springcloud gateway 中的 undertow 禁止接收trace请求(修复漏洞)

  • 开发
  • 50

1.定义两个类:
CustomHttpHandler.java

import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.StatusCodes;

public class CustomHttpHandler implements HttpHandler {
    private final HttpHandler next;

    public CustomHttpHandler(HttpHandler next) {
        this.next = next;
    }

    @Override
    public void handleRequest(HttpServerExchange exchange) throws Exception {
        if ("TRACE".equals(exchange.getRequestMethod().toString())) {
            exchange.setStatusCode(StatusCodes.FORBIDDEN);
            exchange.endExchange();
            return;
        }
        // 其他处理逻辑
        next.handleRequest(exchange);
    }
}

UndertowConfigCustomizer.java

import org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.stereotype.Component;

@Component
public class UndertowConfigCustomizer implements WebServerFactoryCustomizer<UndertowServletWebServerFactory> {
    @Override
    public void customize(UndertowServletWebServerFactory factory) {
        factory.addDeploymentInfoCustomizers(deploymentInfo ->
                deploymentInfo.addInitialHandlerChainWrapper(httpHandler -> new CustomHttpHandler(httpHandler))
        );
    }
}

但是对于spring cloud gateway 网关服务 还需要单独定义过滤器,才能修复
DisableTraceFilter.java

import io.netty.handler.codec.http.HttpMethod;
import org.springframework.core.Ordered;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

@Component
public class DisableTraceFilter implements WebFilter, Ordered {

    @Override
    public int getOrder() {
        // 确保此过滤器优先于其他过滤器
        return Integer.MIN_VALUE;
    }

    @Override
    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
        if (HttpMethod.TRACE.name().equals(exchange.getRequest().getMethod().name())) {
            // 返回403禁止访问
            exchange.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
            return exchange.getResponse().setComplete();
        }
        return chain.filter(exchange);
    }
}
阅读全部

相关推荐

  1. springboot springcloud gateway undertow 禁止接收trace请求修复漏洞

    2024-04-23 07:40:01       51 阅读

  2. 修复www服务trace漏洞

    2024-04-23 07:40:01       36 阅读

  4. 替换掉Springboot框架Tomcat,使用undertow

    2024-04-23 07:40:01       38 阅读

  5. 跨站请求伪造 CSRF 漏洞原理以及修复方法

    2024-04-23 07:40:01       52 阅读

  8. SpringbootTomcat配置及切换Undertow

    2024-04-23 07:40:01       36 阅读

  9. http请求头和响应头安全漏洞bug修改

    2024-04-23 07:40:01       58 阅读

  10. 全栈自我修养 ———— uniapp封装api请求

    2024-04-23 07:40:01       34 阅读

最近更新

  3. docker php8.1+nginx base 镜像 dockerfile 配置

    2024-04-23 07:40:01       94 阅读

  4. Could not load dynamic library ‘cudart64_100.dll‘

    2024-04-23 07:40:01       100 阅读

  9. 在Django里面运行非项目文件

    2024-04-23 07:40:01       82 阅读

  19. Python语言-面向对象

    2024-04-23 07:40:01       91 阅读

  20. 如何分清楚常见的 Git 分支管理策略Git Flow、GitHub Flow 和 GitLab Flow

    2024-04-23 07:40:01       85 阅读

热门阅读

  1. 介绍下volatile关键字

    2024-04-23 07:40:01       37 阅读

  7. npm包管理器

    2024-04-23 07:40:01       44 阅读

  8. 我的创作纪念日

    2024-04-23 07:40:01       37 阅读

  9. npm 打包后自动压缩成zip文件

    2024-04-23 07:40:01       152 阅读

  17. 网安DOS命令(基础)

    2024-04-23 07:40:01       39 阅读

  21. 【Ansible】03

    2024-04-23 07:40:01       157 阅读

  22. APP开发_ js 控制手机是否显示状态栏

    2024-04-23 07:40:01       152 阅读

  24. Cargo 使用教程

    2024-04-23 07:40:01       30 阅读

  25. 数据分析-numpy

    2024-04-23 07:40:01       38 阅读

  28. php原生简单应用实例(用户登录)

    2024-04-23 07:40:01       26 阅读