解决BladeX微服务Swagger资源未授权访问漏洞

时间:2024-10-12 16:05:10
  • /*
  • * Copyright (c) 2018-2028, Chill Zhuang All rights reserved.
  • *
  • * Redistribution and use in source and binary forms, with or without
  • * modification, are permitted provided that the following conditions are met:
  • *
  • * Redistributions of source code must retain the above copyright notice,
  • * this list of conditions and the following disclaimer.
  • * Redistributions in binary form must reproduce the above copyright
  • * notice, this list of conditions and the following disclaimer in the
  • * documentation and/or other materials provided with the distribution.
  • * Neither the name of the developer nor the names of its
  • * contributors may be used to endorse or promote products derived from
  • * this software without specific prior written permission.
  • * Author: Chill 庄骞 (smallchill@)
  • */
  • package ;
  • import ;
  • import ;
  • import ;
  • import ;
  • import ;
  • import ;
  • import ;
  • import .slf4j.Slf4j;
  • import ;
  • import ;
  • import ;
  • import ;
  • import ;
  • import ;
  • import ;
  • import ;
  • import ;
  • import ;
  • import ;
  • import ;
  • import ;
  • /**
  • * SwaggerResourceHandler
  • *
  • * @author lengleng
  • */
  • @Slf4j
  • @Component
  • public class SwaggerResourceHandler implements HandlerFunction<ServerResponse> {
  • private final SwaggerResourcesProvider swaggerResources;
  • private final Environment environment;
  • private boolean isProdActive;
  • private String msg401;
  • @SneakyThrows
  • @Autowired
  • public SwaggerResourceHandler(SwaggerResourcesProvider swaggerResources, Environment environment) {
  • this.swaggerResources = swaggerResources;
  • this.environment = environment;
  • this.isProdActive = (this.())
  • .filter(active -> "test".equalsIgnoreCase(active))
  • .findAny()
  • .isPresent();
  • msg401 = (new ProdSwaggerPath401((), false, null, "请求未授权!!!!!!"));
  • }
  • /**
  • * Handle the given request.
  • *
  • * @param request the request to handler
  • * @return the response
  • */
  • @Override
  • public Mono<ServerResponse> handle(ServerRequest request) {
  • if (isProdActive) {
  • String path = ();
  • ("prod环境禁止访问swagger-resources, 环境参数验证: {}, 访问路径: {}", isProdActive, path);
  • if (("/swagger-resources")) {
  • return ()
  • .contentType(MediaType.APPLICATION_JSON_UTF8)
  • .body((msg401));
  • }
  • }
  • return ()
  • .contentType(MediaType.APPLICATION_JSON_UTF8)
  • .body((()));
  • }
  • /**
  • * 生产环境Swagger资源访问错误消息
  • */
  • @Data
  • @ApiModel(
  • description = "生产环境Swagger资源返回消息"
  • )
  • @AllArgsConstructor
  • private class ProdSwaggerPath401 implements Serializable {
  • private static final long serialVersionUID = 1L;
  • @ApiModelProperty(
  • value = "状态码",
  • required = true
  • )
  • private int code;
  • @ApiModelProperty(
  • value = "是否成功",
  • required = true
  • )
  • private boolean success;
  • @ApiModelProperty("承载数据")
  • private Object data;
  • @ApiModelProperty(
  • value = "返回消息",
  • required = true
  • )
  • private String msg;
  • }
  • }

    • 相关文章