fix: 校验origin, 有些socket请求不安全

metersphere · Oct 13, 2023 · 1004753 · 1004753
1 parent 466ca2f
commit 1004753
Showing 1 changed file with 25 additions and 3 deletions.
diff --git a/backend/src/main/java/io/metersphere/security/CsrfFilter.java b/backend/src/main/java/io/metersphere/security/CsrfFilter.java
@@ -37,6 +37,12 @@ protected boolean onPreHandle(ServletRequest request, ServletResponse response,
         if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request))) {
             return true;
         }
+        // 校验 referer
+        validateReferer(httpServletRequest);
+
+        // 校验 origin
+        validateOrigin(httpServletRequest);
+
         // websocket 不需要csrf
         String websocketKey = httpServletRequest.getHeader("Sec-WebSocket-Key");
         if (StringUtils.isNotBlank(websocketKey)) {
@@ -47,11 +53,27 @@ protected boolean onPreHandle(ServletRequest request, ServletResponse response,
         String csrfToken = httpServletRequest.getHeader(TOKEN_NAME);
         // 校验 token
         validateToken(csrfToken);
-        // 校验 referer
-        validateReferer(httpServletRequest);
+
         return true;
     }
 
+    private void validateOrigin(HttpServletRequest httpServletRequest) {
+        Environment env = CommonBeanFactory.getBean(Environment.class);
+        String domains = env.getProperty("origin.urls");
+        if (StringUtils.isBlank(domains)) {
+            // 没有配置不校验
+            return;
+        }
+
+        String[] split = StringUtils.split(domains, ",");
+        String origin = httpServletRequest.getHeader(HttpHeaders.ORIGIN);
+        if (split != null) {
+            if (!ArrayUtils.contains(split, origin)) {
+                throw new RuntimeException("csrf origin error");
+            }
+        }
+    }
+
     private void validateReferer(HttpServletRequest request) {
         Environment env = CommonBeanFactory.getBean(Environment.class);
         String domains = env.getProperty("referer.urls");
@@ -64,7 +86,7 @@ private void validateReferer(HttpServletRequest request) {
         String referer = request.getHeader(HttpHeaders.REFERER);
         if (split != null) {
             if (!ArrayUtils.contains(split, referer)) {
-                throw new RuntimeException("csrf error");
+                throw new RuntimeException("csrf referer error");
             }
         }
     }