修复路由拦截鉴权可被绕过的问题 fix #515

2025-10-22 03:27:23 +08:00 · 2023-10-16 16:02:19 +08:00
parent f2416a6175
commit 954efeb732
33 changed files with 688 additions and 79 deletions
--- a/sa-token-starter/sa-token-spring-boot-starter/src/main/java/cn/dev33/satoken/filter/SaPathCheckFilterForServlet.java
+++ b/sa-token-starter/sa-token-spring-boot-starter/src/main/java/cn/dev33/satoken/filter/SaPathCheckFilterForServlet.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2020-2099 sa-token.cc
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package cn.dev33.satoken.filter;
+
+import cn.dev33.satoken.exception.RequestPathInvalidException;
+import cn.dev33.satoken.strategy.SaStrategy;
+import cn.dev33.satoken.util.SaTokenConsts;
+import org.springframework.core.annotation.Order;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+/**
+ * 校验请求 path 是否合法
+ *
+ * @author click33
+ * @since 1.37.0
+ */
+@Order(SaTokenConsts.PATH_CHECK_FILTER_ORDER)
+public class SaPathCheckFilterForServlet implements Filter {
+
+	@Override
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+
+		// 校验本次请求 path 是否合法
+		try {
+			HttpServletRequest req = (HttpServletRequest) request;
+			SaStrategy.instance.checkRequestPath.run(req.getRequestURI(), request, response);
+		} catch (RequestPathInvalidException e) {
+			if(SaStrategy.instance.requestPathInvalidHandle == null) {
+				response.setContentType("text/plain; charset=utf-8");
+				response.getWriter().print(e.getMessage());
+				response.getWriter().flush();
+            } else {
+				SaStrategy.instance.requestPathInvalidHandle.run(e, request, response);
+            }
+            return;
+        }
+		
+		// 向下执行
+		chain.doFilter(request, response);
+	}
+
+	@Override
+	public void init(FilterConfig filterConfig) {
+	}
+	
+	@Override
+	public void destroy() {
+	}
+
+	
+	
+}
--- a/sa-token-starter/sa-token-spring-boot-starter/src/main/java/cn/dev33/satoken/filter/SaServletFilter.java
+++ b/sa-token-starter/sa-token-spring-boot-starter/src/main/java/cn/dev33/satoken/filter/SaServletFilter.java
@@ -15,26 +15,19 @@
 */
 package cn.dev33.satoken.filter;

-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-
-import org.springframework.core.annotation.Order;
-
 import cn.dev33.satoken.error.SaSpringBootErrorCode;
 import cn.dev33.satoken.exception.BackResultException;
 import cn.dev33.satoken.exception.SaTokenException;
 import cn.dev33.satoken.exception.StopMatchException;
 import cn.dev33.satoken.router.SaRouter;
 import cn.dev33.satoken.util.SaTokenConsts;
+import org.springframework.core.annotation.Order;
+
+import javax.servlet.*;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;

 /**
 * Servlet 全局鉴权过滤器
@@ -147,7 +140,7 @@ public class SaServletFilter implements SaFilter, Filter {
 			// 		请注意此处默认 Content-Type 为 text/plain，如果需要返回 JSON 信息，需要在 return 前自行设置 Content-Type 为 application/json
 			// 		例如：SaHolder.getResponse().setHeader("Content-Type", "application/json;charset=UTF-8");
 			if(response.getContentType() == null) {
-				response.setContentType("text/plain; charset=utf-8"); 
+				response.setContentType(SaTokenConsts.CONTENT_TYPE_TEXT_PLAIN);
 			}
 			response.getWriter().print(result);
 			return;
--- a/sa-token-starter/sa-token-spring-boot-starter/src/main/java/cn/dev33/satoken/spring/SaTokenContextRegister.java
+++ b/sa-token-starter/sa-token-spring-boot-starter/src/main/java/cn/dev33/satoken/spring/SaTokenContextRegister.java
@@ -15,9 +15,9 @@
 */
 package cn.dev33.satoken.spring;

-import org.springframework.context.annotation.Bean;
-
 import cn.dev33.satoken.context.SaTokenContext;
+import cn.dev33.satoken.filter.SaPathCheckFilterForServlet;
+import org.springframework.context.annotation.Bean;

 /**
 * 注册 Sa-Token 框架所需要的 Bean
@@ -37,4 +37,14 @@ public class SaTokenContextRegister {
 		return new SaTokenContextForSpring();
 	}

+	/**
+	 * 请求 path 校验过滤器
+	 *
+	 * @return /
+	 */
+	@Bean
+	public SaPathCheckFilterForServlet saPathCheckFilterForServlet() {
+		return new SaPathCheckFilterForServlet();
+	}
+
 }