Authorization bypass in blade-gateway
s31k31 opened this issue · 0 comments
src/main/java/org/springblade/gateway/filter/AuthFilter.java
isSkip()
method in AuthFilter.java
, url.replace(AuthProvider.TARGET, AuthProvider.REPLACEMENT))
is equal to url.replace("/**", "")
, which is to remove /**
in defaultSkipUrl
then determines whether the path contains one of the URLs.
Note that contains is used, that is, path::contains
, which means that as long as the incoming path contains the URL in /token
or defaultSkipUrl
, authorization can be bypassed.
You can use the URL parsing feature to add ;%2ftoken
after the request to be considered that the Url contains the /token
, and the route can be correctly resolved by the gateway, resulting in unauthorized access.
The origin without Blade-Auth is blocked.
http://localhost/blade-gateway/discovery/instances
Add %2ftoken
to the end of the URL to bypass authorization.
http://localhost/blade-gateway/discovery/instances;%2ftoken