update cors security code

Author: JoyChou93

src/main/java/org/joychou/config/CorsConfig.java

@@ -26,4 +26,4 @@
 //        bean.setOrder(0);
 //        return bean;
 //    }
-//}
+//}

src/main/java/org/joychou/config/CorsConfig2.java

@@ -0,0 +1,49 @@
+package org.joychou.config;
+
+import org.joychou.security.CustomCorsProcessor;
+import org.springframework.boot.autoconfigure.web.WebMvcRegistrationsAdapter;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
+
+@Configuration
+public class CustomCorsConfig extends WebMvcRegistrationsAdapter {
+
+    /**
+     * 设置cors origin白名单。区分http和https，并且默认不会拦截同域请求。
+     */
+    @Bean
+    public WebMvcConfigurer corsConfigurer() {
+        return new WebMvcConfigurerAdapter() {
+            @Override
+            public void addCorsMappings(CorsRegistry registry) {
+                // 支持一级域名，因为重写了checkOrigin
+                String[] allowOrigins = {"joychou.org", "http://test.joychou.me"};
+                registry.addMapping("/cors/sec/webMvcConfigurer") // /**表示所有路由path
+                        .allowedOrigins(allowOrigins)
+                        .allowedMethods("GET", "POST")
+                        .allowCredentials(true);
+            }
+        };
+    }
+
+
+    @Override
+    public RequestMappingHandlerMapping getRequestMappingHandlerMapping() {
+        return new CustomRequestMappingHandlerMapping();
+    }
+
+
+    /**
+     * 自定义Cors处理器
+     * 自定义校验origin，支持一级域名校验 && 多级域名
+     */
+    private static class CustomRequestMappingHandlerMapping extends RequestMappingHandlerMapping {
+        private CustomRequestMappingHandlerMapping() {
+            setCorsProcessor(new CustomCorsProcessor());
+        }
+    }
+}

src/main/java/org/joychou/config/CustomCorsConfig.java

@@ -11,28 +11,28 @@
 import javax.servlet.http.HttpServletResponse;
 
 /**
- * @author  JoyChou ([email protected])
- * @date    2018.10.24
- * @desc    https://github.com/JoyChou93/java-sec-code/wiki/CORS
+ * @author  JoyChou ([email protected]) @2018.10.24
+ * https://github.com/JoyChou93/java-sec-code/wiki/CORS
  */
 
 @RestController
 @RequestMapping("/cors")
 public class Cors {
 
-    protected static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
-    protected static String[] urlwhitelist = {"joychou.com", "joychou.me"};
+    private static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
+    private static String[] urlwhitelist = {"joychou.org", "joychou.me"};
+
 
     @RequestMapping("/vuln/origin")
-    private static String vuls1(HttpServletRequest request, HttpServletResponse response) {
+    public static String vuls1(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("origin");
         response.setHeader("Access-Control-Allow-Origin", origin); // 设置Origin值为Header中获取到的
         response.setHeader("Access-Control-Allow-Credentials", "true");  // cookie
         return info;
     }
 
     @RequestMapping("/vuln/setHeader")
-    private static String vuls2(HttpServletResponse response) {
+    public static String vuls2(HttpServletResponse response) {
         // 后端设置Access-Control-Allow-Origin为*的情况下，跨域的时候前端如果设置withCredentials为true会异常
         response.setHeader("Access-Control-Allow-Origin", "*");
         return info;
@@ -41,40 +41,67 @@ private static String vuls2(HttpServletResponse response) {
 
     @CrossOrigin("*")
     @RequestMapping("/vuln/crossOrigin")
-    private static String vuls3(HttpServletResponse response) {
+    public static String vuls3() {
+        return info;
+    }
+
+
+    /**
+     * 重写Cors的checkOrigin校验方法
+     * 支持自定义checkOrigin，让其额外支持一级域名
+     * 代码：org/joychou/security/CustomCorsProcessor
+     */
+    @CrossOrigin(origins = {"joychou.org", "http://test.joychou.me"})
+    @RequestMapping("/sec/crossOrigin")
+    public static String secCrossOrigin() {
         return info;
     }
 
 
-    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/webMvcConfigurer.java
+    /**
+     * WebMvcConfigurer设置Cors
+     * 支持自定义checkOrigin
+     * 代码：org/joychou/config/CorsConfig.java
+     */
     @RequestMapping("/sec/webMvcConfigurer")
     public CsrfToken getCsrfToken_01(CsrfToken token) {
         return token;
     }
 
 
-    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java
+    /**
+     * spring security设置cors
+     * 不支持自定义checkOrigin，因为spring security优先于setCorsProcessor执行
+     * 代码：org/joychou/security/WebSecurityConfig.java
+     */
     @RequestMapping("/sec/httpCors")
     public CsrfToken getCsrfToken_02(CsrfToken token) {
         return token;
     }
 
 
-    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/filter/SecCorsFilter.java
-    @RequestMapping("/sec/corsFitler")
+    /**
+     * 自定义filter设置cors
+     * 支持自定义checkOrigin
+     * 代码：org/joychou/filter/OriginFilter.java
+     */
+    @RequestMapping("/sec/originFilter")
     public CsrfToken getCsrfToken_03(CsrfToken token) {
         return token;
     }
 
 
-    // https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/filter/CorsFilter.java
-    @RequestMapping("/sec/Filter")
+    /**
+     * CorsFilter设置cors。
+     * 不支持自定义checkOrigin，因为corsFilter优先于setCorsProcessor执行
+     * 代码：org/joychou/filter/BaseCorsFilter.java
+     */
+    @RequestMapping("/sec/corsFilter")
     public CsrfToken getCsrfToken_04(CsrfToken token) {
         return token;
     }
 
 
-    // http://localhost:8080/cors/sec/checkOrigin
     @RequestMapping("/sec/checkOrigin")
     public String seccode(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("Origin");

src/main/java/org/joychou/controller/Cors.java

@@ -9,27 +9,26 @@
 
 /**
  * 由于CorsFilter和spring security冲突，所以改为下面的代码。
- * CorsFilter可以参考config/CorsConfig2的代码。
  */
 @Component
 @Order(Ordered.HIGHEST_PRECEDENCE)
-public class SecCorsFilter extends CorsFilter {
+public class BaseCorsFilter extends CorsFilter {
 
-    public SecCorsFilter() {
+    public BaseCorsFilter() {
         super(configurationSource());
     }
 
     private static UrlBasedCorsConfigurationSource configurationSource() {
         CorsConfiguration config = new CorsConfiguration();
         config.setAllowCredentials(true);
-        config.addAllowedOrigin("http://test.joychou.org");
-        config.addAllowedOrigin("https://test.joychou.org");
+        config.addAllowedOrigin("joychou.org"); // 不支持
+        config.addAllowedOrigin("http://test.joychou.me");
         config.addAllowedHeader("*");
         config.addAllowedMethod("GET");
         config.addAllowedMethod("POST");
 
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-        source.registerCorsConfiguration("/cors/sec/corsFitler", config);
+        source.registerCorsConfiguration("/cors/sec/corsFilter", config);
 
         return source;
     }

src/main/java/org/joychou/filter/SecCorsFilter.java renamed to src/main/java/org/joychou/filter/BaseCorsFilter.java

@@ -11,13 +11,13 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+
 /**
  * 推荐使用该全局方案修复Cors跨域漏洞，因为可以校验一级域名。
  * @author JoyChou @ 2019.12.19
- *
+ * 
  */
-
-@WebFilter(filterName = "OriginFilter", urlPatterns = "/cors/sec/Filter")
+@WebFilter(filterName = "OriginFilter", urlPatterns = "/cors/sec/originFilter")
 public class OriginFilter implements Filter {
 
     private static String[] urlwhitelist = {"joychou.org", "joychou.me"};
@@ -41,7 +41,10 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
 
         // 以file协议访问html，origin为字符串的null，所以依然会走安全check逻辑
         if ( origin != null && SecurityUtil.checkURLbyEndsWith(origin, urlwhitelist) == null) {
-            logger.error("[-] Origin check error.");
+            logger.error("[-] Origin check error. " + "Origin: " + origin +
+                    "\tCurrent url:" + request.getRequestURL());
+            response.setStatus(response.SC_FORBIDDEN);
+            response.getWriter().println("Invaid cors config by joychou.");
             return;
         }
 

src/main/java/org/joychou/filter/OriginFilter.java

@@ -0,0 +1,60 @@
+package org.joychou.security;
+
+import org.apache.commons.lang.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.util.CollectionUtils;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.DefaultCorsProcessor;
+
+import java.util.List;
+
+public class CustomCorsProcessor extends DefaultCorsProcessor {
+
+    private static final Logger logger = LoggerFactory.getLogger(CustomCorsProcessor.class);
+
+
+    /**
+     * 跨域请求，会通过此方法检测请求源是否被允许
+     *
+     * @param config        CORS 配置
+     * @param requestOrigin 请求源
+     * @return 如果请求源被允许，返回请求源；否则返回 null
+     */
+    @Override
+    protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
+
+        // 支持checkOrigin原装的域名配置
+        String result = super.checkOrigin(config, requestOrigin);
+        if (result != null) {
+            return result;
+        }
+
+        List<String> allowedOrigins = config.getAllowedOrigins();
+        if (StringUtils.isBlank(requestOrigin)
+                || CollectionUtils.isEmpty(allowedOrigins)) {
+            return null;
+        }
+
+        return customCheckOrigin(allowedOrigins, requestOrigin);
+    }
+
+
+    /**
+     * 用host的endsWith来校验requestOrigin
+     */
+    private String customCheckOrigin(List<String> allowedOrigins, String requestOrigin) {
+
+        // list转String[]
+        String[] arrayAllowOrigins = allowedOrigins.toArray(new String[allowedOrigins.size()]);
+
+        if ( SecurityUtil.checkURLbyEndsWith(requestOrigin, arrayAllowOrigins) != null) {
+            logger.info("[+] Origin: "  + requestOrigin );
+            return requestOrigin;
+        }
+        logger.error("[-] Origin: " + requestOrigin );
+        return null;
+    }
+
+
+}

src/main/java/org/joychou/security/CustomCorsProcessor.java

@@ -62,7 +62,7 @@ protected void configure(HttpSecurity http) throws Exception {
                 .ignoringAntMatchers(csrfExcludeUrl)  // 不进行csrf校验的uri，多个uri使用逗号分隔
                 .csrfTokenRepository(new CookieCsrfTokenRepository());
         http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler());
-        // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
+        // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());«
 
         http.cors();
 
@@ -85,8 +85,8 @@ CorsConfigurationSource corsConfigurationSource()
     {
         // Set cors origin white list
         ArrayList<String> allowOrigins = new ArrayList<String>();
-        allowOrigins.add("http://test.joychou.org");
-        allowOrigins.add("https://test.joychou.org"); // 区分http和https，并且默认不会拦截同域请求。
+        allowOrigins.add("joychou.org");
+        allowOrigins.add("https://test.joychou.me"); // 区分http和https，并且默认不会拦截同域请求。
 
         CorsConfiguration configuration = new CorsConfiguration();
         configuration.setAllowedOrigins(allowOrigins);

src/main/java/org/joychou/security/WebSecurityConfig.java

@@ -10,7 +10,7 @@
     <p>
         <a th:href="@{/codeinject?filepath=/tmp;cat /etc/passwd}">CmdInject</a>&nbsp;&nbsp;
         <a th:href="@{/jsonp/getToken?_callback=test}">JSONP</a>&nbsp;&nbsp;
-        <a th:href="@{cors/sec/Filter}">Cors</a>&nbsp;&nbsp;
+        <a th:href="@{cors/sec/originFilter}">Cors</a>&nbsp;&nbsp;
         <a th:href="@{/path_traversal/vul?filepath=../../../../../etc/passwd}">PathTraversal</a>&nbsp;&nbsp;
         <a th:href="@{/sqli/jdbc/vul?username=joychou}">SqlInject</a>&nbsp;&nbsp;
         <a th:href="@{/ssrf/urlConnection?url=file:///etc/passwd}">SSRF</a>&nbsp;&nbsp;