This is an automated email from the ASF dual-hosted git repository.
xiaoyu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/shenyu.git
The following commit(s) were added to refs/heads/master by this push:
new 1fd33d5aa [Task #4774] <The access layer interface for the apidoc
function only allows requests for gateway addresses within the whitelist.>
(#4776)
1fd33d5aa is described below
commit 1fd33d5aa032e8e71e7e40b229d74e9f88745923
Author: lianjunwei <[email protected]>
AuthorDate: Fri Jun 30 14:20:59 2023 +0800
[Task #4774] <The access layer interface for the apidoc function only
allows requests for gateway addresses within the whitelist.> (#4776)
* apidoc sql
* refact
* commit
* [Task] Shenyu-admin: Fix API document failed to build because of NPE.
* [Task] Shenyu-admin: Fix API document failed to build because of NPE.
* solve conficts,modify LICENSE.
* delete useless code.
* delete useless code.
* commit
* [ISSUE #3843]admin apidoc fix: the required attribute prompt is incorrect
when micro service parameter uses "@ApiModelProperty".
* commit
* [shenyu-examples]add swagger to the example project to test the apidoc
function of the gateway management system.
* commit
* commit
* commit
* [ISSUE #4690]Supports gzip compression in response to HTTP requests.
* [examples]Add Swagger sample project to demonstrate automatic pull
interface documentation.
* [ISSUE #4774] The access layer interface for the apidoc function only
allows requests for gateway addresses within the whitelist.
* commit
* remove uncommit code
* commit
* commit
* commit
---------
Co-authored-by: lianjunwei <[email protected]>
Co-authored-by: dragon-zhang <[email protected]>
Co-authored-by: xiaoyu <[email protected]>
---
.../admin/service/impl/SandboxServiceImpl.java | 32 +++++++++++++++++++++-
.../org/apache/shenyu/common/utils/UriUtils.java | 31 +++++++++++++++++----
2 files changed, 57 insertions(+), 6 deletions(-)
diff --git
a/shenyu-admin/src/main/java/org/apache/shenyu/admin/service/impl/SandboxServiceImpl.java
b/shenyu-admin/src/main/java/org/apache/shenyu/admin/service/impl/SandboxServiceImpl.java
index 93c4496df..1073f942d 100644
---
a/shenyu-admin/src/main/java/org/apache/shenyu/admin/service/impl/SandboxServiceImpl.java
+++
b/shenyu-admin/src/main/java/org/apache/shenyu/admin/service/impl/SandboxServiceImpl.java
@@ -17,19 +17,24 @@
package org.apache.shenyu.admin.service.impl;
+import java.util.Set;
import okhttp3.Response;
import okhttp3.ResponseBody;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.shenyu.admin.model.dto.ProxyGatewayDTO;
import org.apache.shenyu.admin.model.entity.AppAuthDO;
+import org.apache.shenyu.admin.model.vo.ShenyuDictVO;
import org.apache.shenyu.admin.service.AppAuthService;
import org.apache.shenyu.admin.service.SandboxService;
+import org.apache.shenyu.admin.service.ShenyuDictService;
import org.apache.shenyu.admin.utils.Assert;
import org.apache.shenyu.admin.utils.HttpUtils;
import org.apache.shenyu.admin.utils.ShenyuSignatureUtils;
import org.apache.shenyu.admin.utils.UploadUtils;
+import org.apache.shenyu.common.constant.AdminConstants;
import org.apache.shenyu.common.constant.Constants;
+import org.apache.shenyu.common.exception.ShenyuException;
import org.apache.shenyu.common.utils.JsonUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -63,8 +68,11 @@ public class SandboxServiceImpl implements SandboxService {
private final AppAuthService appAuthService;
- public SandboxServiceImpl(final AppAuthService appAuthService) {
+ private final ShenyuDictService shenyuDictService;
+
+ public SandboxServiceImpl(final AppAuthService appAuthService, final
ShenyuDictService shenyuDictService) {
this.appAuthService = appAuthService;
+ this.shenyuDictService = shenyuDictService;
}
@Override
@@ -74,6 +82,14 @@ public class SandboxServiceImpl implements SandboxService {
String appKey = proxyGatewayDTO.getAppKey();
UriComponents uriComponents =
UriComponentsBuilder.fromHttpUrl(proxyGatewayDTO.getRequestUrl()).build();
+ String proxyHostPort = getHostPort(proxyGatewayDTO.getRequestUrl());
+
+ Set<String> permitHostPorts = getPermitHostPorts();
+ if (!permitHostPorts.contains(proxyHostPort)) {
+ LOG.error("Unsecure access, details: {}",
proxyGatewayDTO.getRequestUrl());
+ throw new ShenyuException(proxyHostPort + " is not allowed.");
+ }
+
String signContent = null;
String sign = null;
if (StringUtils.isNotEmpty(appKey)) {
@@ -106,6 +122,20 @@ public class SandboxServiceImpl implements SandboxService {
response.flushBuffer();
}
+ private Set<String> getPermitHostPorts() {
+ List<ShenyuDictVO> dictVOList =
shenyuDictService.list(AdminConstants.DICT_TYPE_API_DOC_ENV);
+ Set<String> hostPorts = dictVOList.stream()
+ .filter(ShenyuDictVO::getEnabled)
+ .map(dictVO -> getHostPort(dictVO.getDictValue()))
+ .collect(Collectors.toSet());
+ return hostPorts;
+ }
+
+ private String getHostPort(final String httpUrl) {
+ UriComponents uriComponent =
UriComponentsBuilder.fromHttpUrl(httpUrl).build();
+ return uriComponent.getHost() + ":" +
org.apache.shenyu.common.utils.UriUtils.getActualPort(uriComponent.getScheme(),
uriComponent.getPort());
+ }
+
private Map<String, String> buildReqHeaders(final ProxyGatewayDTO
proxyGatewayDTO) {
Map<String, String> reqHeaders = new HashMap<>();
try {
diff --git
a/shenyu-common/src/main/java/org/apache/shenyu/common/utils/UriUtils.java
b/shenyu-common/src/main/java/org/apache/shenyu/common/utils/UriUtils.java
index 39ac1b979..4ee16f356 100644
--- a/shenyu-common/src/main/java/org/apache/shenyu/common/utils/UriUtils.java
+++ b/shenyu-common/src/main/java/org/apache/shenyu/common/utils/UriUtils.java
@@ -26,9 +26,9 @@ import java.util.Objects;
* uri util.
*/
public class UriUtils {
-
+
private static final String PRE_FIX = "/";
-
+
/**
* create URI {@link URI}.
*
@@ -41,7 +41,7 @@ public class UriUtils {
}
return null;
}
-
+
/**
* Repair data string.
*
@@ -51,7 +51,7 @@ public class UriUtils {
public static String repairData(final String name) {
return name.startsWith(PRE_FIX) ? name : PRE_FIX + name;
}
-
+
/**
* Remove prefix string.
*
@@ -80,7 +80,7 @@ public class UriUtils {
* appendScheme.
*
* @param scheme scheme
- * @param url url
+ * @param url url
* @return {@link String}
*/
public static String appendScheme(final String url, final String scheme) {
@@ -90,4 +90,25 @@ public class UriUtils {
}
return schemeUrl;
}
+
+ /**
+ * get actual port.
+ *
+ * @param scheme scheme eg:http
+ * @param port port
+ * @return {@link int}
+ */
+ public static int getActualPort(final String scheme, final Integer port) {
+ Integer actualPort = port;
+ if (Objects.isNull(port) || port.intValue() < 0) {
+ if (!"http".equals(scheme) && !"ws".equals(scheme)) {
+ if ("https".equals(scheme) || "wss".equals(scheme)) {
+ actualPort = 443;
+ }
+ } else {
+ actualPort = 80;
+ }
+ }
+ return actualPort;
+ }
}
