Authorization bypass in blade-gateway
s31k31 opened this issue · 0 comments
src/main/java/org/springblade/gateway/filter/AuthFilter.java
isSkip() method in AuthFilter.java, url.replace(AuthProvider.TARGET, AuthProvider.REPLACEMENT)) is equal to url.replace("/**", ""), which is to remove /** in defaultSkipUrl then determines whether the path contains one of the URLs.
Note that contains is used, that is, path::contains, which means that as long as the incoming path contains the URL in /token or defaultSkipUrl, authorization can be bypassed.
You can use the URL parsing feature to add ;%2ftoken after the request to be considered that the Url contains the /token, and the route can be correctly resolved by the gateway, resulting in unauthorized access.
The origin without Blade-Auth is blocked.
http://localhost/blade-gateway/discovery/instances
Add %2ftoken to the end of the URL to bypass authorization.
http://localhost/blade-gateway/discovery/instances;%2ftoken
