public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-06-12 16:31:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 【漏洞】 全局静态后缀白名单匹配过宽

Browse Source
This commit is contained in:
tjlygdx
2026-05-18 17:42:57 +08:00
parent 304104d70e
commit 1e1fd9f727
1 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
sdk/common/src/main/java/io/dataease/utils/WhitelistUtils.java
View File

@@ -13,6 +13,13 @@ import static io.dataease.result.ResultCode.INTERFACE_ADDRESS_INVALID;
public class WhitelistUtils {
private static String contextPath;
private static final List<String> STATIC_PATH_PREFIXES = List.of(
"/assets/",
"/static/"
);
private static final List<String> STATIC_FILES = List.of(
"/favicon.ico"
);
public static String getContextPath() {
@@ -68,7 +75,7 @@ public class WhitelistUtils {
requestURI = requestURI.replaceFirst(AuthConstant.DE_OIDCAPI_PREFIX, "");
}
return WHITE_PATH.contains(requestURI)
|| StringUtils.endsWithAny(requestURI, ".gif",".ico", "js", ".css", "svg", "png", "jpg", "js.map", ".otf", ".ttf", ".woff2")
|| isStaticAssetRequest(requestURI)
|| StringUtils.startsWithAny(requestURI, "data:image")
|| StringUtils.startsWithAny(requestURI, "/login/platformLogin/")
|| StringUtils.startsWithAny(requestURI, "/static-resource/")
@@ -93,6 +100,11 @@ public class WhitelistUtils {
|| StringUtils.startsWithAny(requestURI, "/communicate/down/");
}
private static boolean isStaticAssetRequest(String requestURI) {
return STATIC_FILES.contains(requestURI)
|| STATIC_PATH_PREFIXES.stream().anyMatch(requestURI::startsWith);
}
public static String getBaseApiUrl(String redirect_uri) {
if (StringUtils.endsWith(redirect_uri, "/")) {
redirect_uri = redirect_uri.substring(0, redirect_uri.length() - 1);