URL存在http host头攻击漏洞-修复方案

URL存在http host头攻击漏洞-修复方案

spring boot使用注解的方式 --

第一步：在自定义filter类上添加如下注释

package com.cmcc.hy.mobile.config;

import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Value;

/**
 * @author wangzhengrong
 * @date 2019/1/22 11:09
 */
@WebFilter(filterName = "otherFilter")
public class HostFilter implements Filter {

  /**
   * 自定义实现host白名单添加
   */
  @Value("${ALLOWED_SERVERNAMES}")
  private String ALLOWED_SERVERNAMES;

  @Override
  public void init(FilterConfig filterConfig) throws ServletException {
//    System.out.println("Filter初始化中");
  }

  /**
   * host拦截
   */
  @Override
  public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
      FilterChain filterChain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) servletRequest;
    HttpServletResponse response = (HttpServletResponse) servletResponse;
//    String host = request.getHeader("host");
    String serverName = request.getServerName();
    System.out.println("serverName-debug:" + serverName);
    if (!isEmpty(serverName)) {
      if (checkBlankList(serverName)) {
        filterChain.doFilter(servletRequest, servletResponse);
      } else {
        System.out.println("[serverName deny access tips]->" + serverName);
//        response.getWriter().print("host deny");
        response.setStatus(403);
        response.flushBuffer();
      }
    } else {
      filterChain.doFilter(servletRequest, servletResponse);
    }

  }

  @Override
  public void destroy() {
//    System.out.println("Filter销毁");
  }

  /**
   * 校验当前host是否在白名单中
   */
  private boolean checkBlankList(String serverName) {
    String[] allowdServerName = ALLOWED_SERVERNAMES.split(",");
    List<String> serverNameList = Arrays.asList(allowdServerName);
    for(String str : serverNameList){
      if(!isEmpty(str) && str.equals(serverName)){
        return true;
      }
    }
    return false;
  }

  /**
   * 判空
   */
  public boolean isEmpty(Object str) {
    return str == null || "".equals(str);
  }

}

 

第二步：还需要在启动类上添加注释 @ServletComponentScan，以确保能扫描的Filter类，当然也可以指定该注解的basePackages属性。这里需要注意的是，使用这种方式时，不能像第一种方式那样指定filter顺序，使用Order注解也无效