Merge pull request #194 from didi/dev

reject req when uri contains ..

Merge pull request #194 from didi/dev
reject req when uri contains ..
e351ce74 · EricZeng · GitHub · 77f3096e · f33e585a · e351ce74
隐藏空白更改
内联并排

Showing with 5 addition and 0 deletion

kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java ...aojukeji/kafka/manager/account/impl/LoginServiceImpl.java +5 -0

未找到文件。
--- a/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java
+++ b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java
@@ -65,6 +65,11 @@ public class LoginServiceImpl implements LoginService {
    @Override
    public boolean checkLogin(HttpServletRequest request, HttpServletResponse response) {
        String uri = request.getRequestURI();
+        if (uri.contains("..")) {
+            LOGGER.error("class=LoginServiceImpl||method=checkLogin||msg=uri illegal||uri={}", uri);
+            return false;
+        }
+
        if (!(uri.contains(ApiPrefix.API_V1_NORMAL_PREFIX)
                || uri.contains(ApiPrefix.API_V1_RD_PREFIX)
                || uri.contains(ApiPrefix.API_V1_OP_PREFIX))) {