zhangxunwei

icon indicating an email [email protected]

icon location china.hangzhou

Results 4 comments of zhangxunwei

解析错误

感谢你的反馈

[BUG] 使用来源白名单功能时,没有设置orgin的客户端请求会立即通过,功能失效。

> 一、详细说明: 使用来源白名单功能时,没有设置orgin的客户端请求会立即通过,功能失效。 二、漏洞证明(在这里写POC): github上最新的代码: https://github.com/alibaba/Sentinel/blob/master/sentinel-core/src/main/java/com/alibaba/csp/sentinel/slots/block/authority/AuthorityRuleChecker.java ![image](https://private-user-images.githubusercontent.com/1516363/334756059-dabbcbf9-ed68-4b6a-9de4-f1223a98fa05.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkyMTYwMzMsIm5iZiI6MTcxOTIxNTczMywicGF0aCI6Ii8xNTE2MzYzLzMzNDc1NjA1OS1kYWJiY2JmOS1lZDY4LTRiNmEtOWRlNC1mMTIyM2E5OGZhMDUucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDYyNCUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA2MjRUMDc1NTMzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ODgxOTRkOGM3NTdhZTNmZjAyZmEyNmZmMTQyZmYxNTI1ZWMzMGQ1NDM0YjAzM2FiZDZjNGY0MjRkNzE1NWJiMiZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.El9grewoEKBGrq0JDsP4xiez2evZ50pwTGNUUu3VTr0) 三、修复方案: 应去掉StringUtil.isEmpty(requester)的判断,否则白名单功能失效,产生非法访问的漏洞。 一个解决方案是:在实现 RequestOriginParser#parseOrigin 方法是默认返回一个来源(如:defaultOrigin),而不是返回为空字符串。 当然直接放行 origin 为空的请求感觉确实有点怪怪的。

[Bug] Metadata retry thread may cause no provider available

> > > > ![image](https://private-user-images.githubusercontent.com/9292748/352894854-02501e8b-b269-4b8a-9d03-fac8cf68741f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjIzMjA5MDAsIm5iZiI6MTcyMjMyMDYwMCwicGF0aCI6Ii85MjkyNzQ4LzM1Mjg5NDg1NC0wMjUwMWU4Yi1iMjY5LTRiOGEtOWQwMy1mYWM4Y2Y2ODc0MWYucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDczMCUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA3MzBUMDYyMzIwWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ZDUxZjlhMWYwNzk0ZjFiZDQxMmI1ZjA3ZTlkZGJhODc2MzdhOGI2Njc2NmMxMTQwOGFiYzM1ZWQyMGJhZGY1YiZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.j5yrrUd23IFLeq5dC3bGqs7fGMMcK9by3FOCeP2HAhg) > > > > My question is why the process is interrupted? > > > > > > > > > I'm not sure whether...

[Bug] Metadata retry thread may cause no provider available

I understand. Thank you for your selfless dedication.