From 869c4b1cb621bf126684b9d0bac8d4af7dd7003c Mon Sep 17 00:00:00 2001
From: "1437892690@qq.com" <1437892690@qq.com>
Date: Mon, 9 Jun 2025 19:15:23 +0800
Subject: [PATCH] =?UTF-8?q?[=E5=8A=9F=E8=83=BD]=20Spring=E6=BC=8F=E6=B4=9E?=
 =?UTF-8?q?=EF=BC=8C=E5=A2=9E=E5=8A=A0=E4=B8=80=E4=B8=AAPathTraversalFilte?=
 =?UTF-8?q?r=E5=92=8CResourcesConfig=E7=B1=BB?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

关联 #[1439907375972352]Spring漏洞，增加一个PathTraversalFilter和ResourcesConfig类 http://192.168.0.96:8090/demo/rdm.html#/story-detail/939050947543040/939050947543042/1439907375972352
---
 .../framework/filter/PathTraversalFilter.java | 57 +++++++++++++++++++
 .../framework/webconfig/ResourcesConfig.java  | 48 ++++++++++++++++
 2 files changed, 105 insertions(+)
 create mode 100644 src/main/java/neatlogic/framework/filter/PathTraversalFilter.java
 create mode 100644 src/main/java/neatlogic/framework/webconfig/ResourcesConfig.java

diff --git a/src/main/java/neatlogic/framework/filter/PathTraversalFilter.java b/src/main/java/neatlogic/framework/filter/PathTraversalFilter.java
new file mode 100644
index 000000000..89c36e186
--- /dev/null
+++ b/src/main/java/neatlogic/framework/filter/PathTraversalFilter.java
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2025  深圳极向量科技有限公司 All Rights Reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package neatlogic.framework.filter;
+
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class PathTraversalFilter implements Filter {
+
+    // 需要检查的请求参数类型
+    private static final String[] CHECKED_PARAMS = {
+           "fileName", "filePath", "path", "download"
+    };
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+        // 检测所有参数值
+        for (String paramName : CHECKED_PARAMS) {
+            String paramValue = httpRequest.getParameter(paramName);
+            if (paramValue != null && isUnsafePath(paramValue)) {
+                httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid path detected");
+                return;
+            }
+        }
+        filterChain.doFilter(request, response);
+    }
+
+    private boolean isUnsafePath(String value) {
+        // 检测多种路径遍历模式（包含URL编码形式）
+        return value.contains("../")
+                || value.contains("..\\")
+                || value.contains("%2e%2e/")
+                || value.contains("%2e%2e%2f")
+                || value.contains("..%2f")
+                || value.matches(".*\\b(?:absolute|true)path\\b.*");
+    }
+}
diff --git a/src/main/java/neatlogic/framework/webconfig/ResourcesConfig.java b/src/main/java/neatlogic/framework/webconfig/ResourcesConfig.java
new file mode 100644
index 000000000..2021a4dee
--- /dev/null
+++ b/src/main/java/neatlogic/framework/webconfig/ResourcesConfig.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2025  深圳极向量科技有限公司 All Rights Reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package neatlogic.framework.webconfig;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.io.Resource;
+import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.springframework.web.servlet.resource.PathResourceResolver;
+
+import java.io.IOException;
+
+@Configuration
+public class ResourcesConfig implements WebMvcConfigurer {
+
+    @Override
+    public void addResourceHandlers(ResourceHandlerRegistry registry) {
+        registry.addResourceHandler("/static/**")
+                .addResourceLocations("classpath:/static/")
+                .setCachePeriod(3600)
+                .resourceChain(true)
+                .addResolver(new PathResourceResolver() {
+                    @Override
+                    protected Resource getResource(String resourcePath, Resource location) throws IOException {
+                        // 检查路径是否合法，避免路径遍历
+                        if (resourcePath.contains("./") || resourcePath.contains("..")) {
+                            return null; // 返回 null 表示不允许访问
+                        }
+                        return super.getResource(resourcePath, location);
+                    }
+                });
+    }
+}
-- 
Gitee