SaToken and Spring's differential handling of URIs raises authorization bypass vulnerabilities (SaToken和Spring对uri处理的差异化引发的越权漏洞)

[m4ra7h0n]

name of affected products

SaToken

affected version:

version <= 1.3.50RC

fixed version

version = 1.36.0

description

SaToken and Spring's differential handling of URIs raises authorization bypass vulnerabilities

The steps to reproduce(复现步骤)：

First register the user, the permission is：user

@Component
public class StpInterfaceImpl implements StpInterface {
    @Override
    public List<String> getPermissionList(Object loginId, String loginType) {
        List<String> list = new ArrayList<String>();
        list.add("user");
        return list;
    }
}

Register an interceptor whose interception address is：/admin/password，Need permission：admin

@Configuration
public class SaTokenConfigure implements WebMvcConfigurer {
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new SaInterceptor(handler -> {
            SaRouter
                .match("/**")
                .notMatch("/user/doLogin")
                .check(r -> StpUtil.checkLogin());

            SaRouter.match("/admin/password", r -> StpUtil.checkPermission("admin"));
        })).addPathPatterns("/**");
    }
}

Then write a login interface, an admin interface, the interface address is：/admin/password

@RestController
public class UserController {
    // Test login, browser access： http://localhost:8081/user/doLogin?username=zhang&password=123456
    @RequestMapping("/user/doLogin")
    public String doLogin(String username, String password) {
        if("zhang".equals(username) && "123456".equals(password)) {
            StpUtil.login(10001);
            return "success";
        }
        return "fail";
    }

    @RequestMapping("/admin/password")
    public String getPassword() {
        return "flag{m4ra7h0n}";
    }
}

Login first

Then access: /admin/password/

root cause

The root cause is overstepping the bounds of differentiating uri processing with SaToken and spring
When configured, the path to restrict permissions is' /admin/password ', we access '/admin/password/', AntPathMatcher matches' /admin/password 'and' /admin/password/ 'to false, Bypass permission verification.
At the same time, spring handles the last '/' when dealing with path matching, we access '/admin/password' or '/admin/password/', and can get related resources.
This vulnerability can be found in CVE-2020-1957

根本原因在于利用SaToken和spring对uri处理的差异化进行越权
配置的时候限制权限的路径为/admin/password，我们访问的是/admin/password/，AntPathMatcher匹配/admin/password和/admin/password/为false，绕过权限验证。
同时spring对于处理路径匹配的时候处理了最后面的/，我们访问/admin/password或者/admin/password/，都可获取相关资源。
此漏洞可参考CVE-2020-1957

[click33]

收到，已本地复现

[click33]

已更新 v1.36.0 修复此问题

[click33]

https://sa-token.cc/doc.html#/more/update-log

[m4ra7h0n]

收到