CVE-2024-22243漏洞分析与Java中Host获取方式安全研究<\/h1>

漏洞概述<\/h2>
CVE-2024-22243是Spring框架中`UriComponentsBuilder<\/code>组件在处理URL时存在的一个安全漏洞。该漏洞源于对用户信息(userinfo)部分中方括号([]<\/code>)字符的不当处理，导致攻击者可以构造特殊URL绕过主机名验证机制。<\/p>`

受影响版本<\/h3>

Spring Framework 6.0.0 - 6.0.16<\/li>
Spring Framework 5.3.0 - 5.3.31<\/li>
<\/ul>
漏洞原理分析<\/h2>
问题根源<\/h3>
UriComponentsBuilder.fromUriString()<\/code>方法在解析URL时，对用户信息部分中的方括号处理不当。当URL包含如下格式时：<\/p>
http:\/\/user[attacker.com@legitimate.com\/
<\/code><\/pre>
解析器会错误地将attacker.com<\/code>识别为host的一部分，而实际上legitimate.com<\/code>才是真正的host。<\/p>
解析过程对比<\/h3>
正常URL解析<\/strong>:<\/p>
http:\/\/user@legitimate.com\/path
→ 解析结果:
  - Scheme: http
  - Host: legitimate.com
  - User: user
<\/code><\/pre>
恶意URL解析<\/strong>:<\/p>
http:\/\/user[attacker.com@legitimate.com\/path
→ 错误解析结果:
  - Scheme: http
  - Host: attacker.com
  - User: user
  - 实际请求发送至: legitimate.com
<\/code><\/pre>
Java中常见的Host获取方式<\/h2>
1. java.net.URL<\/code><\/h3>
URL url =<\/span> new<\/span> URL(<\/span>"http:\/\/example.com"<\/span>);<\/span>
<\/span><\/span>String host =<\/span> url.<\/span>getHost<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>安全问题<\/strong>:<\/p>

不验证主机名是否可信<\/li>
不防止DNS重绑定攻击<\/li>
对特殊字符处理可能不一致<\/li>
<\/ul>
2. java.net.URI<\/code><\/h3>
URI uri =<\/span> new<\/span> URI(<\/span>"http:\/\/example.com"<\/span>);<\/span>
<\/span><\/span>String host =<\/span> uri.<\/span>getHost<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>优点<\/strong>:<\/p>

比URL类更严格遵循RFC规范<\/li>
对特殊字符处理更规范<\/li>
<\/ul>
3. Spring的UriComponentsBuilder<\/code><\/h3>
UriComponentsBuilder.<\/span>fromUriString<\/span>(<\/span>"http:\/\/example.com"<\/span>).<\/span>build<\/span>().<\/span>getHost<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>问题<\/strong>:<\/p>

在受影响版本中存在CVE-2024-22243漏洞<\/li>
用户信息部分处理不当<\/li>
<\/ul>
4. Apache HttpClient<\/h3>
URIBuilder uriBuilder =<\/span> new<\/span> URIBuilder(<\/span>"http:\/\/example.com"<\/span>);<\/span>
<\/span><\/span>String host =<\/span> uriBuilder.<\/span>getHost<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>特点<\/strong>:<\/p>

通常有更严格的验证<\/li>
可配置主机名验证策略<\/li>
<\/ul>
安全防护建议<\/h2>
1. 输入验证<\/h3>
\/\/ 使用白名单验证合法域名
<\/span><\/span><\/span><\/span>private<\/span> static<\/span> final<\/span> Pattern DOMAIN_PATTERN =<\/span> Pattern.<\/span>compile<\/span>(<\/span>"^([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,}$"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> boolean<\/span> isValidHost<\/span>(<\/span>String host)<\/span> {<\/span>
<\/span><\/span>    return<\/span> DOMAIN_PATTERN.<\/span>matcher<\/span>(<\/span>host).<\/span>matches<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 使用安全的解析方式<\/h3>
\/\/ 优先使用URI而非URL
<\/span><\/span><\/span><\/span>URI uri =<\/span> new<\/span> URI(<\/span>inputUrl);<\/span>
<\/span><\/span>String host =<\/span> uri.<\/span>getHost<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 验证host是否在允许列表中
<\/span><\/span><\/span><\/span>if<\/span> (!<\/span>ALLOWED_DOMAINS.<\/span>contains<\/span>(<\/span>host))<\/span> {<\/span>
<\/span><\/span>    throw<\/span> new<\/span> SecurityException(<\/span>"Domain not allowed"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 防御DNS重绑定<\/h3>
\/\/ 解析后立即获取IP并缓存
<\/span><\/span><\/span><\/span>InetAddress address =<\/span> InetAddress.<\/span>getByName<\/span>(<\/span>host);<\/span>
<\/span><\/span>String ip =<\/span> address.<\/span>getHostAddress<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 后续请求中直接使用IP而非host
<\/span><\/span><\/span>\/\/ 并验证IP是否在允许范围内
<\/span><\/span><\/span><\/code><\/pre>4. 升级Spring框架<\/h3>
对于使用Spring的项目：<\/p>

升级到Spring Framework 6.0.17+ 或 5.3.32+<\/li>
或应用相关补丁<\/li>
<\/ul>
漏洞利用场景<\/h2>
开放重定向攻击<\/h3>
攻击者可构造恶意链接：<\/p>
https:\/\/victim.com\/redirect?url=http:\/\/user[evil.com@legitimate.com\/
<\/code><\/pre>
若服务端仅检查evil.com<\/code>而实际重定向到legitimate.com<\/code>，则可能绕过检查。<\/p>
SSRF攻击<\/h3>
当应用使用UriComponentsBuilder<\/code>解析用户提供的URL并访问时：<\/p>
UriComponents uri =<\/span> UriComponentsBuilder.<\/span>fromUriString<\/span>(<\/span>userInput).<\/span>build<\/span>();<\/span>
<\/span><\/span>\/\/ 错误地认为host是evil.com，实际请求发送到internal-server
<\/span><\/span><\/span><\/code><\/pre>测试用例<\/h2>
验证漏洞存在<\/h3>
@Test<\/span>
<\/span><\/span>void<\/span> testMalformedHost<\/span>()<\/span> {<\/span>
<\/span><\/span>    String maliciousUrl =<\/span> "http:\/\/user[evil.com@legitimate.com\/path"<\/span>;<\/span>
<\/span><\/span>    UriComponents components =<\/span> UriComponentsBuilder.<\/span>fromUriString<\/span>(<\/span>maliciousUrl).<\/span>build<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 在受影响版本中，getHost()返回evil.com，但实际请求发送到legitimate.com
<\/span><\/span><\/span><\/span>    assertEquals(<\/span>"legitimate.com"<\/span>,<\/span> components.<\/span>getHost<\/span>());<\/span> \/\/ 应失败
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>安全解析测试<\/h3>
@Test<\/span>
<\/span><\/span>void<\/span> testSafeHostExtraction<\/span>()<\/span> throws<\/span> URISyntaxException {<\/span>
<\/span><\/span>    String url =<\/span> "http:\/\/user[evil.com@legitimate.com\/path"<\/span>;<\/span>
<\/span><\/span>    URI uri =<\/span> new<\/span> URI(<\/span>url);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ java.net.URI正确处理这种情况
<\/span><\/span><\/span><\/span>    assertEquals(<\/span>"legitimate.com"<\/span>,<\/span> uri.<\/span>getHost<\/span>());<\/span> \/\/ 通过
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>修复方案<\/h2>
Spring官方修复<\/h3>
Spring团队在修复版本中改进了UriComponentsBuilder<\/code>的实现：<\/p>

严格处理用户信息部分中的特殊字符<\/li>
确保getHost()<\/code>返回实际请求发送到的host<\/li>
<\/ol>
自定义防护<\/h3>
若无法立即升级，可实现自定义验证：<\/p>
public<\/span> static<\/span> String getVerifiedHost<\/span>(<\/span>String url)<\/span> throws<\/span> MalformedURLException {<\/span>
<\/span><\/span>    URI uri;<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        uri =<\/span> new<\/span> URI(<\/span>url);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>URISyntaxException e)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> MalformedURLException(<\/span>"Invalid URL"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    String host =<\/span> uri.<\/span>getHost<\/span>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>host ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> MalformedURLException(<\/span>"No host found"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 额外的host验证
<\/span><\/span><\/span><\/span>    if<\/span> (!<\/span>isAllowedHost(<\/span>host))<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> SecurityException(<\/span>"Host not allowed"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    return<\/span> host;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>总结<\/h2>
CVE-2024-22243揭示了URL解析过程中边缘情况处理的重要性。在Java开发中，应注意：<\/p>

谨慎选择URL解析工具，了解其行为差异<\/li>
永远不要信任用户提供的URL，必须进行严格验证<\/li>
使用白名单而非黑名单进行host验证<\/li>
保持框架和库的最新版本<\/li>
对于安全关键操作，考虑多层验证机制<\/li>
<\/ol>
通过深入理解这些解析细节和安全实践，可以有效预防此类漏洞的发生。<\/p>

CVE-2024-22243漏洞分析与Java中Host获取方式安全研究<\/h1>

漏洞概述<\/h2> CVE-2024-22243是Spring框架中UriComponentsBuilder<\/code>组件在处理URL时存在的一个安全漏洞。该漏洞源于对用户信息(userinfo)部分中方括号([]<\/code>)字符的不当处理，导致攻击者可以构造特殊URL绕过主机名验证机制。<\/p>

漏洞原理分析<\/h2>

Java中常见的Host获取方式<\/h2>

安全防护建议<\/h2>

漏洞利用场景<\/h2>

测试用例<\/h2>

修复方案<\/h2>

漏洞概述<\/h2>
CVE-2024-22243是Spring框架中`UriComponentsBuilder<\/code>组件在处理URL时存在的一个安全漏洞。该漏洞源于对用户信息(userinfo)部分中方括号([]<\/code>)字符的不当处理，导致攻击者可以构造特殊URL绕过主机名验证机制。<\/p>`