logo标签列表

Spring 5.0.3 请求拒绝异常:由于URL未规范化,请求被拒绝。

spring-mvcspring-security
120

不确定这是Spring 5.0.3的错误还是一个新功能来解决我的问题。

升级后,我遇到了这个错误。有趣的是,这个错误只出现在我的本地机器上。同样的代码在带有HTTPS协议的测试环境中正常工作。

继续...

我之所以会遇到这个错误,是因为加载结果的JSP页面的URL为/location/thisPage.jsp。评估代码request.getRequestURI()给出了结果/WEB-INF/somelocation//location/thisPage.jsp。如果我将JSP页面的URL修复为location/thisPage.jsp,则一切都正常工作。

因此,我的问题是,我应该从代码中的JSP路径中删除/,因为这是未来所需的。还是说Spring引入了一个错误,因为我的机器和测试环境之间唯一的区别是协议HTTPHTTPS

 org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL was not normalized.
    at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:123)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
3
https://dev59.com/NFYM5IYBdhLWcg3wpRQs#48636757 - Munish Chandel
1
问题计划在5.1.0中解决;目前5.0.0没有这个问题。 - java_dude
8个回答
104

Spring Security文档提到了阻止请求中使用 // 的原因。

例如,它可能包含路径遍历序列(如/../)或多个正斜杠(//),这也可能导致模式匹配失败。一些容器在执行servlet映射之前将其规范化,但其他容器则不会。为了防止出现这些问题,FilterChainProxy使用HttpFirewall策略来检查和包装请求。默认情况下会自动拒绝未规范化的请求,并且会删除用于匹配目的的路径参数和重复斜杠。

因此,有两种可能的解决方案 -

  1. 删除双斜杠(首选方法)
  2. 通过使用以下代码自定义StrictHttpFirewall允许在Spring Security中使用//。

步骤1 创建允许URL中斜杠的自定义防火墙。

@Bean
public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
    StrictHttpFirewall firewall = new StrictHttpFirewall();
    firewall.setAllowUrlEncodedSlash(true);    
    return firewall;
}

步骤2 然后在WebSecurity中配置此bean。

@Override
public void configure(WebSecurity web) throws Exception {
    //@formatter:off
    super.configure(web);
    web.httpFirewall(allowUrlEncodedSlashHttpFirewall());
....
}

第二步是可选的,Spring Boot只需要声明一个类型为 HttpFirewall 的bean,并将其自动配置到过滤器链中。

Spring Security 5.4 更新

在Spring security 5.4及以上版本(Spring Boot >= 2.4.0),我们可以通过创建下面的bean来消除关于请求被拒绝的太多日志记录。

import org.springframework.security.web.firewall.RequestRejectedHandler;
import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;

@Bean
RequestRejectedHandler requestRejectedHandler() {
   return new HttpStatusRequestRejectedHandler();
}
是的,路径遍历安全性已经被引入。这是一个新功能,可能会导致问题。但我不太确定,因为你看它在HTTPS上运行而不是HTTP上。我宁愿等到这个错误被解决 https://jira.spring.io/browse/SPR-16419 - java_dude
很有可能是我们问题的一部分...但是用户没有输入 //,所以我正在努力弄清楚第二个 / 是怎么被添加的...如果Spring正在生成我们的JSTL URL,它不应该添加那个斜杠,或者在添加后进行规范化。 - xenoterracide
6
对于 Spring Security 5.1.1,这并没有真正解决问题。如果需要具有两个斜杠的 URL(例如 a/b//c),则必须使用 DefaultHttpFirewall。在 StrictHttpFirewall 中,isNormalized 方法无法进行配置或覆盖。 - Jason Winnebeck
有没有人能够指导如何在Spring中完成这个,而不是使用Boot? - schoon
在我的情况下,一个应用程序被分发了两个“//”。可以通过 firewall.getEncodedUrlBlacklist().remove("//") 解决此问题。发布更新后我会将其删除。 - Guilherme
32

setAllowUrlEncodedSlash(true) 对我没有生效。当有双斜杠时,内部方法 isNormalized 仍然返回 false

我只使用以下代码将 StrictHttpFirewall 替换为 DefaultHttpFirewall

@Bean
public HttpFirewall defaultHttpFirewall() {
    return new DefaultHttpFirewall();
}

对我来说运行良好。
使用DefaultHttpFirewall会有任何风险吗?

1
是的。仅仅因为你不能为你的室友制作备用钥匙,就不意味着你应该把唯一的钥匙放在门垫下面。这是不被建议的。安全性不应该被改变。 - java_dude
27
@java_dude,很棒的是您没有提供任何信息或理由,只是一个模糊的比喻。 - kaqqao
1
这对我有效,但我也必须在我的bean XML中添加以下内容:<sec:http-firewall ref="defaultHttpFirewall"/> - Jason Winnebeck
1
使用这个解决方案有什么影响? - Felipe Desiderati
1
@lainatnavi 不行,因为正如答案中所提到的那样。即使有双斜杠,内部方法 isNormalized 仍会返回 false - dtrunk
显示剩余2条评论
11

我遇到了同样的问题:

Spring Boot版本=1.5.10
Spring Security版本=4.2.4


该问题发生在端点上,其中ModelAndView的viewName以前导斜杠定义。例如:

ModelAndView mav = new ModelAndView("/your-view-here");

如果我去掉斜杠,它就正常工作了。例如:

ModelAndView mav = new ModelAndView("your-view-here");

我也使用了RedirectView进行了一些测试,似乎在前面加上一个斜杠可以正常工作。

2
那不是解决方案。如果这是Spring的一个错误,那该怎么办呢?如果他们改变了它,那么你将不得不再次撤消所有更改。我宁愿等到5.1版本,因为那时它标记为已解决。 - java_dude
1
不需要撤销更改,因为在旧版本中,在未使用前导正斜杠的情况下定义 viewName 完全可以正常工作。 - Torsten Ojaperv
这正是问题所在。如果它之前运行良好且您没有更改任何内容,则Spring可能引入了一个错误。路径应始终以“/”开头。请查看任何Spring文档。请查看以下链接:https://github.com/spring-projects/spring-security/issues/5007和https://github.com/spring-projects/spring-security/issues/5044。 - java_dude
1
这也困扰了我。将所有的ModelAndView更新,但不带前导斜杠“/”,问题得到了解决。 - Nathan Perrier
我开了一个 bug,但是去掉前导 / 对我来说并不是一个解决方法,在大多数情况下我们只是将视图名称作为字符串返回(从控制器中)。需要考虑重定向视图作为解决方案。链接:https://jira.spring.io/browse/SPR-16740 - xenoterracide
显示剩余2条评论
8
我们能否为此编写一些异常处理,以便通知客户其错误的输入? - Indrajeet Gour
6

在我的情况下,从spring-security-web 3.1.3升级到4.2.12后,默认的defaultHttpFirewall被默认更改为StrictHttpFirewall。因此只需要按照以下XML配置进行定义:

<bean id="defaultHttpFirewall" class="org.springframework.security.web.firewall.DefaultHttpFirewall"/>
<sec:http-firewall ref="defaultHttpFirewall"/>

HTTPFirewall设置为DefaultHttpFirewall

1
请在您的代码中添加一些描述,解释正在发生什么以及为什么。这是一个好的实践。如果不这样做,您的答案可能会被删除。它已经被标记为低质量。 - herrbischoff
3
以下方案是一个干净的解决方案。它不会影响安全性,因为我们使用相同的严格防火墙。
修复步骤如下: 步骤1:创建一个类来覆盖 StrictHttpFirewall,如下所示。
package com.biz.brains.project.security.firewall;

import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.http.HttpMethod;
import org.springframework.security.web.firewall.DefaultHttpFirewall;
import org.springframework.security.web.firewall.FirewalledRequest;
import org.springframework.security.web.firewall.HttpFirewall;
import org.springframework.security.web.firewall.RequestRejectedException;

public class CustomStrictHttpFirewall implements HttpFirewall {
    private static final Set<String> ALLOW_ANY_HTTP_METHOD = Collections.unmodifiableSet(Collections.emptySet());

    private static final String ENCODED_PERCENT = "%25";

    private static final String PERCENT = "%";

    private static final List<String> FORBIDDEN_ENCODED_PERIOD = Collections.unmodifiableList(Arrays.asList("%2e", "%2E"));

    private static final List<String> FORBIDDEN_SEMICOLON = Collections.unmodifiableList(Arrays.asList(";", "%3b", "%3B"));

    private static final List<String> FORBIDDEN_FORWARDSLASH = Collections.unmodifiableList(Arrays.asList("%2f", "%2F"));

    private static final List<String> FORBIDDEN_BACKSLASH = Collections.unmodifiableList(Arrays.asList("\\", "%5c", "%5C"));

    private Set<String> encodedUrlBlacklist = new HashSet<String>();

    private Set<String> decodedUrlBlacklist = new HashSet<String>();

    private Set<String> allowedHttpMethods = createDefaultAllowedHttpMethods();

    public CustomStrictHttpFirewall() {
        urlBlacklistsAddAll(FORBIDDEN_SEMICOLON);
        urlBlacklistsAddAll(FORBIDDEN_FORWARDSLASH);
        urlBlacklistsAddAll(FORBIDDEN_BACKSLASH);

        this.encodedUrlBlacklist.add(ENCODED_PERCENT);
        this.encodedUrlBlacklist.addAll(FORBIDDEN_ENCODED_PERIOD);
        this.decodedUrlBlacklist.add(PERCENT);
    }

    public void setUnsafeAllowAnyHttpMethod(boolean unsafeAllowAnyHttpMethod) {
        this.allowedHttpMethods = unsafeAllowAnyHttpMethod ? ALLOW_ANY_HTTP_METHOD : createDefaultAllowedHttpMethods();
    }

    public void setAllowedHttpMethods(Collection<String> allowedHttpMethods) {
        if (allowedHttpMethods == null) {
            throw new IllegalArgumentException("allowedHttpMethods cannot be null");
        }
        if (allowedHttpMethods == ALLOW_ANY_HTTP_METHOD) {
            this.allowedHttpMethods = ALLOW_ANY_HTTP_METHOD;
        } else {
            this.allowedHttpMethods = new HashSet<>(allowedHttpMethods);
        }
    }

    public void setAllowSemicolon(boolean allowSemicolon) {
        if (allowSemicolon) {
            urlBlacklistsRemoveAll(FORBIDDEN_SEMICOLON);
        } else {
            urlBlacklistsAddAll(FORBIDDEN_SEMICOLON);
        }
    }

    public void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash) {
        if (allowUrlEncodedSlash) {
            urlBlacklistsRemoveAll(FORBIDDEN_FORWARDSLASH);
        } else {
            urlBlacklistsAddAll(FORBIDDEN_FORWARDSLASH);
        }
    }

    public void setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod) {
        if (allowUrlEncodedPeriod) {
            this.encodedUrlBlacklist.removeAll(FORBIDDEN_ENCODED_PERIOD);
        } else {
            this.encodedUrlBlacklist.addAll(FORBIDDEN_ENCODED_PERIOD);
        }
    }

    public void setAllowBackSlash(boolean allowBackSlash) {
        if (allowBackSlash) {
            urlBlacklistsRemoveAll(FORBIDDEN_BACKSLASH);
        } else {
            urlBlacklistsAddAll(FORBIDDEN_BACKSLASH);
        }
    }

    public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent) {
        if (allowUrlEncodedPercent) {
            this.encodedUrlBlacklist.remove(ENCODED_PERCENT);
            this.decodedUrlBlacklist.remove(PERCENT);
        } else {
            this.encodedUrlBlacklist.add(ENCODED_PERCENT);
            this.decodedUrlBlacklist.add(PERCENT);
        }
    }

    private void urlBlacklistsAddAll(Collection<String> values) {
        this.encodedUrlBlacklist.addAll(values);
        this.decodedUrlBlacklist.addAll(values);
    }

    private void urlBlacklistsRemoveAll(Collection<String> values) {
        this.encodedUrlBlacklist.removeAll(values);
        this.decodedUrlBlacklist.removeAll(values);
    }

    @Override
    public FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException {
        rejectForbiddenHttpMethod(request);
        rejectedBlacklistedUrls(request);

        if (!isNormalized(request)) {
            request.setAttribute("isNormalized", new RequestRejectedException("The request was rejected because the URL was not normalized."));
        }

        String requestUri = request.getRequestURI();
        if (!containsOnlyPrintableAsciiCharacters(requestUri)) {
            request.setAttribute("isNormalized",  new RequestRejectedException("The requestURI was rejected because it can only contain printable ASCII characters."));
        }
        return new FirewalledRequest(request) {
            @Override
            public void reset() {
            }
        };
    }

    private void rejectForbiddenHttpMethod(HttpServletRequest request) {
        if (this.allowedHttpMethods == ALLOW_ANY_HTTP_METHOD) {
            return;
        }
        if (!this.allowedHttpMethods.contains(request.getMethod())) {
            request.setAttribute("isNormalized",  new RequestRejectedException("The request was rejected because the HTTP method \"" +
                    request.getMethod() +
                    "\" was not included within the whitelist " +
                    this.allowedHttpMethods));
        }
    }

    private void rejectedBlacklistedUrls(HttpServletRequest request) {
        for (String forbidden : this.encodedUrlBlacklist) {
            if (encodedUrlContains(request, forbidden)) {
                request.setAttribute("isNormalized",  new RequestRejectedException("The request was rejected because the URL contained a potentially malicious String \"" + forbidden + "\""));
            }
        }
        for (String forbidden : this.decodedUrlBlacklist) {
            if (decodedUrlContains(request, forbidden)) {
                request.setAttribute("isNormalized",  new RequestRejectedException("The request was rejected because the URL contained a potentially malicious String \"" + forbidden + "\""));
            }
        }
    }

    @Override
    public HttpServletResponse getFirewalledResponse(HttpServletResponse response) {
        return new FirewalledResponse(response);
    }

    private static Set<String> createDefaultAllowedHttpMethods() {
        Set<String> result = new HashSet<>();
        result.add(HttpMethod.DELETE.name());
        result.add(HttpMethod.GET.name());
        result.add(HttpMethod.HEAD.name());
        result.add(HttpMethod.OPTIONS.name());
        result.add(HttpMethod.PATCH.name());
        result.add(HttpMethod.POST.name());
        result.add(HttpMethod.PUT.name());
        return result;
    }

    private static boolean isNormalized(HttpServletRequest request) {
        if (!isNormalized(request.getRequestURI())) {
            return false;
        }
        if (!isNormalized(request.getContextPath())) {
            return false;
        }
        if (!isNormalized(request.getServletPath())) {
            return false;
        }
        if (!isNormalized(request.getPathInfo())) {
            return false;
        }
        return true;
    }

    private static boolean encodedUrlContains(HttpServletRequest request, String value) {
        if (valueContains(request.getContextPath(), value)) {
            return true;
        }
        return valueContains(request.getRequestURI(), value);
    }

    private static boolean decodedUrlContains(HttpServletRequest request, String value) {
        if (valueContains(request.getServletPath(), value)) {
            return true;
        }
        if (valueContains(request.getPathInfo(), value)) {
            return true;
        }
        return false;
    }

    private static boolean containsOnlyPrintableAsciiCharacters(String uri) {
        int length = uri.length();
        for (int i = 0; i < length; i++) {
            char c = uri.charAt(i);
            if (c < '\u0020' || c > '\u007e') {
                return false;
            }
        }

        return true;
    }

    private static boolean valueContains(String value, String contains) {
        return value != null && value.contains(contains);
    }

    private static boolean isNormalized(String path) {
        if (path == null) {
            return true;
        }

        if (path.indexOf("//") > -1) {
            return false;
        }

        for (int j = path.length(); j > 0;) {
            int i = path.lastIndexOf('/', j - 1);
            int gap = j - i;

            if (gap == 2 && path.charAt(i + 1) == '.') {
                // ".", "/./" or "/."
                return false;
            } else if (gap == 3 && path.charAt(i + 1) == '.' && path.charAt(i + 2) == '.') {
                return false;
            }

            j = i;
        }

        return true;
    }

}

第二步:创建一个FirewalledResponse

package com.biz.brains.project.security.firewall;

import java.io.IOException;
import java.util.regex.Pattern;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;

class FirewalledResponse extends HttpServletResponseWrapper {
    private static final Pattern CR_OR_LF = Pattern.compile("\\r|\\n");
    private static final String LOCATION_HEADER = "Location";
    private static final String SET_COOKIE_HEADER = "Set-Cookie";

    public FirewalledResponse(HttpServletResponse response) {
        super(response);
    }

    @Override
    public void sendRedirect(String location) throws IOException {
        // TODO: implement pluggable validation, instead of simple blacklisting.
        // SEC-1790. Prevent redirects containing CRLF
        validateCrlf(LOCATION_HEADER, location);
        super.sendRedirect(location);
    }

    @Override
    public void setHeader(String name, String value) {
        validateCrlf(name, value);
        super.setHeader(name, value);
    }

    @Override
    public void addHeader(String name, String value) {
        validateCrlf(name, value);
        super.addHeader(name, value);
    }

    @Override
    public void addCookie(Cookie cookie) {
        if (cookie != null) {
            validateCrlf(SET_COOKIE_HEADER, cookie.getName());
            validateCrlf(SET_COOKIE_HEADER, cookie.getValue());
            validateCrlf(SET_COOKIE_HEADER, cookie.getPath());
            validateCrlf(SET_COOKIE_HEADER, cookie.getDomain());
            validateCrlf(SET_COOKIE_HEADER, cookie.getComment());
        }
        super.addCookie(cookie);
    }

    void validateCrlf(String name, String value) {
        if (hasCrlf(name) || hasCrlf(value)) {
            throw new IllegalArgumentException(
                    "Invalid characters (CR/LF) in header " + name);
        }
    }

    private boolean hasCrlf(String value) {
        return value != null && CR_OR_LF.matcher(value).find();
    }
}

步骤 3:创建一个自定义过滤器来抑制RejectedException

package com.biz.brains.project.security.filter;

import java.io.IOException;
import java.util.Objects;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpHeaders;
import org.springframework.security.web.firewall.RequestRejectedException;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.GenericFilterBean;

import lombok.extern.slf4j.Slf4j;

@Component
@Slf4j
@Order(Ordered.HIGHEST_PRECEDENCE)
public class RequestRejectedExceptionFilter extends GenericFilterBean {

        @Override
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            try {
                RequestRejectedException requestRejectedException=(RequestRejectedException) servletRequest.getAttribute("isNormalized");
                if(Objects.nonNull(requestRejectedException)) {
                    throw requestRejectedException;
                }else {
                    filterChain.doFilter(servletRequest, servletResponse);
                }
            } catch (RequestRejectedException requestRejectedException) {
                HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
                HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
                log
                    .error(
                            "request_rejected: remote={}, user_agent={}, request_url={}",
                            httpServletRequest.getRemoteHost(),  
                            httpServletRequest.getHeader(HttpHeaders.USER_AGENT),
                            httpServletRequest.getRequestURL(), 
                            requestRejectedException
                    );

                httpServletResponse.sendError(HttpServletResponse.SC_NOT_FOUND);
            }
        }
}

步骤4:在安全配置中将自定义过滤器添加到Spring过滤器链中

@Override
protected void configure(HttpSecurity http) throws Exception {
     http.addFilterBefore(new RequestRejectedExceptionFilter(),
             ChannelProcessingFilter.class);
}

现在使用上述修复方法,我们可以使用错误404页面处理RequestRejectedException
谢谢。这是我暂时使用的方法,允许我们升级Java微服务直到前端应用程序全部升级。我不需要步骤3和4就能成功地使'//'被认为是规范化的。我只是注释了isNormalized中检查双斜杠的条件,然后配置了一个bean来使用CustomStrictHttpFirewall类。 - gtaborga
有没有更简单的解决方法,可以通过配置实现?但是不要关闭防火墙。 - Prathamesh dhanawade
1
这对我有用:
这适用于我:
@Bean
    public HttpFirewall looseHttpFirewall() {
        StrictHttpFirewall firewall = new StrictHttpFirewall();
        firewall.setAllowedHttpMethods(Arrays.asList("GET", "POST"));
        firewall.setAllowSemicolon(true);
        firewall.setAllowUrlEncodedSlash(true);
        firewall.setAllowBackSlash(true);
        firewall.setAllowUrlEncodedPercent(true);
        firewall.setAllowUrlEncodedPeriod(true);
        return firewall;
    }
0
在我的情况下,问题是由于没有在Postman中登录造成的,因此我在另一个选项卡中打开了一个连接,并使用从Chrome会话标头中获取的会话cookie。
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接