spring security regexrequestmatcher 认证绕过漏洞(CVE-2022-22978)
记录一次漏洞修复过程中遇到的问题:spring security regexrequestmatcher 认证绕过漏洞(CVE-2022-22978)
·
漏洞详情
CVE-2022-22978 中,在Spring Security受影响版本范围内,若使用了存在特殊配置(含 .)的RegexRequestMatcher 的情况下可能导致权限绕过。
受影响版本:
5.5.0 <= Spring Security < 5.5.7
5.6.0 <= Spring Security < 5.6.4
Spring Security 更早的不受支持的版本
安全版本:
Spring Security >= 5.5.7
Spring Security >= 5.6.4
Spring Security >= 5.7.0
修复方法
修改pom.xml文件
<properties>
<spring-security.version>5.5.8</spring-security.version>
</properties>
需要将springboot版本同步升级才能生效,我升级到了
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.14</version>
<relativePath/>
</parent>
在升级完之后遇到以下问题:
1.跨域配置无效:我删除了之前的配置,重写了一个方法
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import java.util.Arrays;
/**
* @author hecai
* @description: TODO
* @date 2022/10/17 13:33
* @Version 1.0
*/
@Configuration
public class CorsConfig {
@Bean
public FilterRegistrationBean corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowedOriginPatterns(Arrays.asList("*"));
config.setAllowCredentials(true);
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
//配置CorsFilter优先级
bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
return bean;
}
}
2.遇到了定时任务quzarts包自动装配数据库无效,我修改了配置文件为:
import com.baomidou.dynamic.datasource.DynamicRoutingDataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.scheduling.quartz.SchedulerFactoryBean;
import javax.sql.DataSource;
import java.util.Properties;
@Configuration
public class SchedulerConfigurations {
@Autowired
DynamicRoutingDataSource dynamicDataSource;
@Bean(name = "SchedulerFactoryBeanNameCunzai")
public SchedulerFactoryBean schedulerFactoryBean() {
DataSource dataSource= dynamicDataSource.getDataSource("scheduler");
SchedulerFactoryBean factory = new SchedulerFactoryBean();
factory.setDataSource(dataSource);
Properties prop = new Properties();
prop.put("org.quartz.scheduler.instanceName", "AmychScheduler");
prop.put("org.quartz.scheduler.instanceId", "AUTO");
prop.put("org.quartz.threadPool.class", "org.quartz.simpl.SimpleThreadPool");
prop.put("org.quartz.threadPool.threadCount", "20");
prop.put("org.quartz.threadPool.threadPriority", "5");
prop.put("org.quartz.jobStore.class", "org.springframework.scheduling.quartz.LocalDataSourceJobStore");
prop.put("org.quartz.jobStore.isClustered", "true");
prop.put("org.quartz.jobStore.clusterCheckinInterval", "15000");
prop.put("org.quartz.jobStore.maxMisfiresToHandleAtATime", "1");
prop.put("org.quartz.jobStore.misfireThreshold", "12000");
prop.put("org.quartz.jobStore.tablePrefix", "QRTZ_");
prop.put("org.quartz.jobStore.selectWithLockSQL", "SELECT * FROM {0}LOCKS UPDLOCK WHERE LOCK_NAME = ?");
factory.setQuartzProperties(prop);
factory.setSchedulerName("AmychScheduler");
factory.setStartupDelay(30);
factory.setApplicationContextSchedulerContextKey("applicationContextKey");
factory.setOverwriteExistingJobs(true);
factory.setAutoStartup(true);
return factory;
}
}
3.定时任务quzarts包的配置文件一开始卸载底层代码(公司内部封装好的,暂时无人维护),并自动注入容器,我已经无法修改底层代码,所以我采取的做法是:从容器中移除这个bean,使用我修改后的文件即可
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.beans.factory.support.BeanDefinitionRegistry;
import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor;
import org.springframework.stereotype.Component;
/**
* @author hecai
* @description: TODO
* @date 2022/10/17 10:59
* @Version 1.0
*/
@Component
public class RemoveRegistyBeanFactoryPostProcessor implements BeanDefinitionRegistryPostProcessor {
/**
* 移出bean。 aa是bean的名称
* @param beanDefinitionRegistry
* @throws BeansException
*/
@Override
public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry beanDefinitionRegistry) throws BeansException {
if (beanDefinitionRegistry.containsBeanDefinition("schedulerFactoryBean")){
beanDefinitionRegistry.removeBeanDefinition("schedulerFactoryBean");
}
}
@Override
public void postProcessBeanFactory(ConfigurableListableBeanFactory configurableListableBeanFactory) throws BeansException {
}
}
为开发者提供学习成长、分享交流、生态实践、资源工具等服务,帮助开发者快速成长。
更多推荐
0
0- 0
已为社区贡献2条内容
所有评论(0)