public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-05-19 10:18:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 禁用不安全的请求类型

Browse Source
This commit is contained in:
fit2cloud-chenyw
2024-11-17 14:06:31 +08:00
parent 13db420043
commit df91dd2611
11 changed files with 52 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
sdk/common/src/main/java/io/dataease/auth/filter/TokenFilter.java
View File

@@ -5,6 +5,7 @@ import io.dataease.constant.AuthConstant;
import io.dataease.utils.*;
import jakarta.servlet.*;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import java.io.IOException;
@@ -16,6 +17,22 @@ public class TokenFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
String method = request.getMethod();
if (!StringUtils.equalsAny(method, "GET", "POST", "OPTIONS")) {
HttpServletResponse res = (HttpServletResponse) servletResponse;
res.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
return;
}
if (StringUtils.equalsIgnoreCase("OPTIONS", method)) {
String origin = request.getHeader("Origin");
if (StringUtils.isBlank(origin)) {
HttpServletResponse res = (HttpServletResponse) servletResponse;
res.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
return;
}
filterChain.doFilter(servletRequest, servletResponse);
return;
}
String requestURI = request.getRequestURI();
if (ModelUtils.isDesktop()) {
@@ -28,10 +45,7 @@ public class TokenFilter implements Filter {
filterChain.doFilter(servletRequest, servletResponse);
return;
}
if (StringUtils.equalsIgnoreCase("OPTIONS", ServletUtils.request().getMethod())) {
filterChain.doFilter(servletRequest, servletResponse);
return;
}
String executeVersion = null;
if (StringUtils.isNotBlank(executeVersion = VersionUtil.getRandomVersion())) {
Objects.requireNonNull(ServletUtils.response()).addHeader(AuthConstant.DE_EXECUTE_VERSION, executeVersion);

28
sdk/common/src/main/java/io/dataease/auth/interceptor/CorsConfig.java
View File

@@ -1,12 +1,12 @@
package io.dataease.auth.interceptor;
import io.dataease.constant.AuthConstant;
import jakarta.annotation.Resource;
import org.apache.commons.collections4.CollectionUtils;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.config.annotation.CorsRegistration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@@ -15,17 +15,11 @@ import java.util.List;
@Configuration
public class CorsConfig implements WebMvcConfigurer {
@Resource(name = "deCorsInterceptor")
private CorsInterceptor corsInterceptor;
@Value("#{'${dataease.origin-list:http://127.0.0.1:8100}'.split(',')}")
private List<String> originList;
@Override
public void addInterceptors(InterceptorRegistry registry) {
corsInterceptor.addOriginList(originList);
registry.addInterceptor(corsInterceptor).addPathPatterns("/**");
}
private CorsRegistration operateCorsRegistration;
@Override
public void configurePathMatch(PathMatchConfigurer configurer) {
@@ -34,11 +28,21 @@ public class CorsConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
operateCorsRegistration = registry.addMapping("/**")
.allowCredentials(true)
.allowedOriginPatterns("*")
.allowedOrigins(originList.toArray(new String[0]))
.allowedHeaders("*")
.maxAge(3600)
.allowedMethods("*");
.allowedMethods("GET", "POST");
}
public void addAllowedOrigins(List<String> origins) {
if (CollectionUtils.isEmpty(origins)) {
return;
}
origins.addAll(originList);
List<String> newOrigins = origins.stream().distinct().toList();
String[] originArray = newOrigins.toArray(new String[0]);
operateCorsRegistration.allowedOrigins(originArray);
}
}

86
sdk/common/src/main/java/io/dataease/auth/interceptor/CorsInterceptor.java
View File

@@ -1,86 +0,0 @@
package io.dataease.auth.interceptor;
import io.dataease.utils.CommonBeanFactory;
import io.dataease.utils.DeReflectUtil;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Component;
import org.springframework.util.ReflectionUtils;
import org.springframework.web.servlet.HandlerInterceptor;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.List;
@Component("deCorsInterceptor")
public class CorsInterceptor implements HandlerInterceptor {
private final List<String> originList;
private final List<String> busiOriginList = new ArrayList<>();
private Class<?> aClass;
private Object bean;
public CorsInterceptor(List<String> originList) {
this.originList = originList;
}
public void addOriginList(List<String> list) {
List<String> strings = list.stream().filter(item -> !originList.contains(item)).toList();
originList.addAll(strings);
}
public void addOriginList() {
busiOriginList.clear();
String className = "io.dataease.api.permissions.embedded.api.EmbeddedApi";
String methodName = "domainList";
if (ObjectUtils.isEmpty(aClass)) {
try {
aClass = Class.forName(className);
} catch (ClassNotFoundException e) {
return;
}
}
if (ObjectUtils.isEmpty(bean)) {
bean = CommonBeanFactory.getBean(aClass);
}
if (ObjectUtils.isNotEmpty(bean)) {
Method method = DeReflectUtil.findMethod(aClass, methodName);
Object result = ReflectionUtils.invokeMethod(method, bean);
if (ObjectUtils.isNotEmpty(result)) {
List<String> list = (List<String>) result;
if (CollectionUtils.isNotEmpty(list)) {
busiOriginList.addAll(list.stream().distinct().toList());
}
}
}
}
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
addOriginList();
String origin = request.getHeader("Origin");
boolean embedded = StringUtils.startsWithAny(request.getRequestURI(), "/assets/", "/js/");
if ((StringUtils.isNotBlank(origin) && originList.contains(origin)) || busiOriginList.contains(origin) || embedded) {
response.setHeader("Access-Control-Allow-Origin", embedded ? "*" : origin);
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS");
response.setHeader("Access-Control-Allow-Headers", "*");
response.setHeader("Access-Control-Max-Age", "3600");
}
if (StringUtils.equalsIgnoreCase(request.getMethod(), "options")) {
response.setStatus(200);
return false;
}
return true;
}
}