springboot解决不安全的HTTP请求方式安全漏洞

简介

在安全漏洞中，有不安全的HTTP请求方式；
原因：
1、Tomcat PUT 的上传漏洞，受影响的版本：Apache Tomcat 7.0.0 to 7.0.79
2、 Nginx 在开启 WebDAV 模式下，如果未配置认证模式，攻击者可以通过自由上传文件方法上传木马攻击服务器。

整改建议：

禁止使用GET、POST以外的HTTP方法，如PUT、DELETE、TRACE等

vue和springboot的解决方式

处理方式：
1、前端在遇到put/delete方法的时候，将该方法改为post方法，然后添加请求头X-HTTP-Method-Override,将真实的请求方式放入；
2、后端：编写过滤器，如果方法是post方法，且有X-HTTP-Method-Override参数的，然后重新转到对应的方法

vue

if (config.method.toLowerCase() === 'put') {config.method = 'post'config.headers['X-HTTP-Method-Override'] = 'put'} else if (config.method.toLowerCase() === 'delete') {config.method = 'post'config.headers['X-HTTP-Method-Override'] = 'delete'}

后端

package com.eshore.framework.security.filter;import org.springframework.stereotype.Component;import org.springframework.util.StringUtils;import org.springframework.web.bind.annotation.RequestMethod;import org.springframework.web.filter.OncePerRequestFilter;import org.springframework.web.filter.RequestContextFilter;import javax.servlet.FilterChain;import javax.servlet.ServletException;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;import javax.servlet.http.HttpServletResponse;import java.io.IOException;import java.util.Locale;@Component//这里使用RequestContextFilter，OncePerRequestFilter有时会不生效 public class HttpMethodOverrideHeaderFilter extends RequestContextFilter {private static final String X_HTTP_METHOD_OVERRIDE_HEADER = "X-HTTP-Method-Override";@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)throws ServletException, IOException {String headerValue = request.getHeader(X_HTTP_METHOD_OVERRIDE_HEADER);if (RequestMethod.POST.name().equalsIgnoreCase(request.getMethod()) && StringUtils.hasLength(headerValue)) {String method = headerValue.toUpperCase(Locale.ENGLISH);HttpServletRequest wrapper = new HttpMethodRequestWrapper(request, method);filterChain.doFilter(wrapper, response);}else {filterChain.doFilter(request, response);}}private static class HttpMethodRequestWrapper extends HttpServletRequestWrapper {private final String method;public HttpMethodRequestWrapper(HttpServletRequest request, String method) {super(request);this.method = method;}@Overridepublic String getMethod() {return this.method;}}}