Alibaba Sentinel SSRF漏洞代码审计与分析<\/h1>

一、Sentinel组件概述<\/h2>

Sentinel是阿里巴巴开源的面向分布式、多语言异构化服务架构的流量治理组件，主要功能包括：<\/p>

流量路由<\/li>
流量控制<\/li>
流量整形<\/li>
熔断降级<\/li>
系统自适应过载保护<\/li>

热点流量防护<\/li> <\/ul>

二、漏洞背景<\/h2>
本文分析的SSRF漏洞不同于已知的CVE-2021-44139漏洞，而是与获取集群状态功能相关的新SSRF漏洞。<\/p>

三、受影响版本<\/h2>
分析版本：v1.8.8（2025年5月时的最新Releases版）<\/p>

四、漏洞详细分析<\/h2>

1. 漏洞入口点<\/h3>
漏洞位于`com\/alibaba\/csp\/sentinel\/dashboard\/controller\/cluster\/ClusterConfigController.java<\/code>文件的119-146行，主要功能是获取集群或目标机器状态。<\/p>`

2. 参数处理流程<\/h3>
\/\/ 接收三个参数
<\/span><\/span><\/span><\/span>String app =<\/span> request.<\/span>getParam<\/span>(<\/span>"app"<\/span>);<\/span>
<\/span><\/span>String ip =<\/span> request.<\/span>getParam<\/span>(<\/span>"ip"<\/span>);<\/span>
<\/span><\/span>String portStr =<\/span> request.<\/span>getParam<\/span>(<\/span>"port"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 参数非空检查
<\/span><\/span><\/span><\/span>if<\/span> (<\/span>StringUtil.<\/span>isEmpty<\/span>(<\/span>app))<\/span> {<\/span>
<\/span><\/span>    throw<\/span> new<\/span> IllegalArgumentException(<\/span>"app cannot be null or empty"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>if<\/span> (<\/span>StringUtil.<\/span>isEmpty<\/span>(<\/span>ip))<\/span> {<\/span>
<\/span><\/span>    throw<\/span> new<\/span> IllegalArgumentException(<\/span>"ip cannot be null or empty"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>if<\/span> (<\/span>StringUtil.<\/span>isEmpty<\/span>(<\/span>portStr))<\/span> {<\/span>
<\/span><\/span>    throw<\/span> new<\/span> IllegalArgumentException(<\/span>"port cannot be null or empty"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 版本支持检查
<\/span><\/span><\/span><\/span>if<\/span> (!<\/span>checkIfSupported(<\/span>app,<\/span> ip,<\/span> port))<\/span> {<\/span>
<\/span><\/span>    return<\/span> unsupportedVersion(<\/span>app,<\/span> ip,<\/span> port);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 集群状态获取逻辑<\/h3>
\/\/ 异步获取集群状态
<\/span><\/span><\/span><\/span>CompletableFuture<<\/span>ClusterUniversalStateVO><\/span> future =<\/span> clusterConfigService
<\/span><\/span>    .<\/span>getClusterUniversalState<\/span>(<\/span>app,<\/span> ip,<\/span> port)<\/span>
<\/span><\/span>    .<\/span>thenApply<\/span>(<\/span>e -><\/span> new<\/span> Result<>(<\/span>e).<\/span>setSuccess<\/span>(<\/span>true<\/span>));<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 阻塞等待结果
<\/span><\/span><\/span><\/span>try<\/span> {<\/span>
<\/span><\/span>    return<\/span> future.<\/span>get<\/span>();<\/span>
<\/span><\/span>}<\/span> catch<\/span> (<\/span>ExecutionException e)<\/span> {<\/span>
<\/span><\/span>    logger.<\/span>error<\/span>(<\/span>"Error when getting cluster state"<\/span>,<\/span> e);<\/span>
<\/span><\/span>    return<\/span> new<\/span> Result<>().<\/span>setSuccess<\/span>(<\/span>false<\/span>)<\/span>
<\/span><\/span>        .<\/span>setMsg<\/span>(<\/span>e.<\/span>getCause<\/span>().<\/span>getMessage<\/span>());<\/span>
<\/span><\/span>}<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>    logger.<\/span>error<\/span>(<\/span>"Error when getting cluster state"<\/span>,<\/span> e);<\/span>
<\/span><\/span>    return<\/span> new<\/span> Result<>().<\/span>setSuccess<\/span>(<\/span>false<\/span>)<\/span>
<\/span><\/span>        .<\/span>setCode<\/span>(-<\/span>1<\/span>)<\/span>
<\/span><\/span>        .<\/span>setMsg<\/span>(<\/span>e.<\/span>getMessage<\/span>());<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 服务层调用链<\/h3>
进入com\/alibaba\/csp\/sentinel\/dashboard\/service\/ClusterConfigService.java<\/code>的148-166行：<\/p>
public<\/span> CompletableFuture<<\/span>ClusterUniversalStateVO><\/span> getClusterUniversalState<\/span>(<\/span>
<\/span><\/span>    String app,<\/span> String ip,<\/span> Integer port)<\/span> {<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取集群模式信息
<\/span><\/span><\/span><\/span>    return<\/span> sentinelApiClient.<\/span>fetchClusterMode<\/span>(<\/span>ip,<\/span> port)<\/span>
<\/span><\/span>        .<\/span>thenApply<\/span>(<\/span>e -><\/span> new<\/span> ClusterUniversalStateVO().<\/span>setStateInfo<\/span>(<\/span>e))<\/span>
<\/span><\/span>        .<\/span>thenCompose<\/span>(<\/span>state -><\/span> {<\/span>
<\/span><\/span>            \/\/ 获取客户端信息
<\/span><\/span><\/span><\/span>            return<\/span> sentinelApiClient.<\/span>fetchClusterClientInfo<\/span>(<\/span>ip,<\/span> port)<\/span>
<\/span><\/span>                .<\/span>thenApply<\/span>(<\/span>e -><\/span> state.<\/span>setClientInfo<\/span>(<\/span>e));<\/span>
<\/span><\/span>        })<\/span>
<\/span><\/span>        .<\/span>thenCompose<\/span>(<\/span>state -><\/span> {<\/span>
<\/span><\/span>            \/\/ 获取服务器信息
<\/span><\/span><\/span><\/span>            return<\/span> sentinelApiClient.<\/span>fetchClusterServerInfo<\/span>(<\/span>ip,<\/span> port)<\/span>
<\/span><\/span>                .<\/span>thenApply<\/span>(<\/span>e -><\/span> state.<\/span>setServerInfo<\/span>(<\/span>e));<\/span>
<\/span><\/span>        });<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. API客户端实现<\/h3>
进入com\/alibaba\/csp\/sentinel\/dashboard\/client\/SentinelApiClient.java<\/code>的626-637行：<\/p>
public<\/span> CompletableFuture<<\/span>ClusterStateSimpleEntity><\/span> fetchClusterMode<\/span>(<\/span>
<\/span><\/span>    String ip,<\/span> Integer port)<\/span> {<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 构建请求路径
<\/span><\/span><\/span><\/span>    String url =<\/span> String.<\/span>format<\/span>(<\/span>FETCH_CLUSTER_MODE_PATH,<\/span> ip,<\/span> port);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 执行命令获取响应
<\/span><\/span><\/span><\/span>    return<\/span> executeCommand(<\/span>ip,<\/span> port,<\/span> url,<\/span> null<\/span>,<\/span> 
<\/span><\/span>        response -><\/span> JsonUtils.<\/span>parseObject<\/span>(<\/span>
<\/span><\/span>            response.<\/span>getContent<\/span>(),<\/span> ClusterStateSimpleEntity.<\/span>class<\/span>));<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>6. HTTP请求执行核心<\/h3>
最终在280-315行执行HTTP请求：<\/p>
private<\/span> <<\/span>R><\/span> CompletableFuture<<\/span>R><\/span> executeCommand<\/span>(<\/span>
<\/span><\/span>    String ip,<\/span> Integer port,<\/span> String url,<\/span> String body,<\/span> 
<\/span><\/span>    Function<<\/span>HttpResponse,<\/span> R><\/span> responseParser)<\/span> {<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 参数校验
<\/span><\/span><\/span><\/span>    if<\/span> (<\/span>StringUtil.<\/span>isEmpty<\/span>(<\/span>ip))<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> IllegalArgumentException(<\/span>"ip cannot be null or empty"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    if<\/span> (<\/span>port ==<\/span> null<\/span> ||<\/span> port <=<\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> IllegalArgumentException(<\/span>"Invalid port"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 构建基础URL
<\/span><\/span><\/span><\/span>    String fullUrl =<\/span> "http:\/\/"<\/span> +<\/span> ip +<\/span> ":"<\/span> +<\/span> port +<\/span> url;<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 构造HTTP请求
<\/span><\/span><\/span><\/span>    HttpRequestBase request;<\/span>
<\/span><\/span>    if<\/span> (<\/span>StringUtil.<\/span>isEmpty<\/span>(<\/span>body))<\/span> {<\/span>
<\/span><\/span>        request =<\/span> new<\/span> HttpGet(<\/span>fullUrl);<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        HttpPost postRequest =<\/span> new<\/span> HttpPost(<\/span>fullUrl);<\/span>
<\/span><\/span>        postRequest.<\/span>setEntity<\/span>(<\/span>new<\/span> StringEntity(<\/span>body,<\/span> ContentType.<\/span>APPLICATION_JSON<\/span>));<\/span>
<\/span><\/span>        request =<\/span> postRequest;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 执行请求（漏洞点：未对IP地址进行充分校验）
<\/span><\/span><\/span><\/span>    return<\/span> asyncRequest(<\/span>request,<\/span> responseParser);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>五、漏洞复现步骤<\/h2>

漏洞接口：\/cluster\/state_single<\/code>（需要登录后访问）<\/li>
完整路径：http:\/\/localhost:8080\/cluster\/state_single<\/code><\/li>
构造请求示例：
http:\/\/localhost:8080\/cluster\/state_single?app=SSRF-TEST&ip=127.0.0.1&port=80
<\/code><\/pre>
<\/li>
可修改ip<\/code>参数为任意目标地址进行SSRF攻击<\/li>
<\/ol>
六、漏洞原理总结<\/h2>
漏洞产生原因：<\/p>

在构建HTTP请求时，直接拼接用户输入的IP地址和端口<\/li>
缺乏对IP地址的完整合法性校验：

未检查是否为内网IP<\/li>
未限制可访问的协议类型（只能使用HTTP）<\/li>
未对目标地址进行白名单限制<\/li>
<\/ul>
<\/li>
<\/ol>
七、修复建议<\/h2>


增加IP地址校验逻辑：<\/p>

检查是否为内网地址<\/li>
实现IP白名单机制<\/li>
<\/ul>
<\/li>

限制协议类型：<\/p>

强制使用HTTPS<\/li>
禁用非常用协议<\/li>
<\/ul>
<\/li>

增加输入验证：<\/p>
if<\/span> (!<\/span>isValidIp(<\/span>ip)<\/span> ||<\/span> isInternalIp(<\/span>ip))<\/span> {<\/span>
<\/span><\/span>    throw<\/span> new<\/span> IllegalArgumentException(<\/span>"Invalid IP address"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>

使用安全的URL构建方式：<\/p>
URI uri =<\/span> new<\/span> URIBuilder()<\/span>
<\/span><\/span>    .<\/span>setScheme<\/span>(<\/span>"https"<\/span>)<\/span>
<\/span><\/span>    .<\/span>setHost<\/span>(<\/span>validatedIp)<\/span>
<\/span><\/span>    .<\/span>setPort<\/span>(<\/span>validatedPort)<\/span>
<\/span><\/span>    .<\/span>setPath<\/span>(<\/span>url)<\/span>
<\/span><\/span>    .<\/span>build<\/span>();<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
八、学习要点<\/h2>


SSRF漏洞常见触发场景：<\/p>

直接拼接用户输入构建URL<\/li>
缺乏对目标地址的校验<\/li>
能够访问内部服务<\/li>
<\/ul>
<\/li>

代码审计关键点：<\/p>

追踪用户输入流向<\/li>
检查HTTP请求构建过程<\/li>
验证所有外部输入<\/li>
<\/ul>
<\/li>

防御措施：<\/p>

输入验证和过滤<\/li>
输出编码<\/li>
最小权限原则<\/li>
网络层隔离<\/li>
<\/ul>
<\/li>
<\/ol>

Alibaba Sentinel SSRF漏洞代码审计与分析<\/h1>

二、漏洞背景<\/h2> 本文分析的SSRF漏洞不同于已知的CVE-2021-44139漏洞，而是与获取集群状态功能相关的新SSRF漏洞。<\/p>

三、受影响版本<\/h2> 分析版本：v1.8.8（2025年5月时的最新Releases版）<\/p>

四、漏洞详细分析<\/h2>

1. 漏洞入口点<\/h3> 漏洞位于com\/alibaba\/csp\/sentinel\/dashboard\/controller\/cluster\/ClusterConfigController.java<\/code>文件的119-146行，主要功能是获取集群或目标机器状态。<\/p>

二、漏洞背景<\/h2>
本文分析的SSRF漏洞不同于已知的CVE-2021-44139漏洞，而是与获取集群状态功能相关的新SSRF漏洞。<\/p>

三、受影响版本<\/h2>
分析版本：v1.8.8（2025年5月时的最新Releases版）<\/p>

1. 漏洞入口点<\/h3>
漏洞位于`com\/alibaba\/csp\/sentinel\/dashboard\/controller\/cluster\/ClusterConfigController.java<\/code>文件的119-146行，主要功能是获取集群或目标机器状态。<\/p>`