Struts2框架逻辑概述与漏洞分析<\/h1>

1. Struts2框架概述<\/h2>
Struts2是一个基于JavaEE的MVC框架，虽然基于Servlet API，但通过Filter机制实现核心功能。这种设计使Struts2应用更加灵活高效。<\/p>

1.1 基本配置<\/h3>

web.xml配置示例<\/strong>：<\/p>

<filter><\/span>
<\/span><\/span>    <filter-name><\/span>struts2<\/filter-name><\/span>
<\/span><\/span>    <filter-class><\/span>org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter<\/filter-class><\/span>
<\/span><\/span><\/filter><\/span>
<\/span><\/span><filter-mapping><\/span>
<\/span><\/span>    <filter-name><\/span>struts2<\/filter-name><\/span>
<\/span><\/span>    <url-pattern><\/span>\/*<\/url-pattern><\/span>
<\/span><\/span><\/filter-mapping><\/span>
<\/span><\/span><\/code><\/pre>struts.xml配置示例<\/strong>：<\/p>
<struts><\/span>
<\/span><\/span>    <constant<\/span> name=<\/span>"struts.devMode"<\/span> value=<\/span>"true"<\/span> \/><\/span>
<\/span><\/span>    <package<\/span> name=<\/span>"myapp"<\/span> extends=<\/span>"struts-default"<\/span>><\/span>
<\/span><\/span>        <action<\/span> name=<\/span>"myaction"<\/span>><\/span>
<\/span><\/span>            <result><\/span>\/index.jsp<\/result><\/span>
<\/span><\/span>        <\/action><\/span>
<\/span><\/span>    <\/package><\/span>
<\/span><\/span><\/struts><\/span>
<\/span><\/span><\/code><\/pre>2. Struts2核心处理逻辑<\/h2>
2.1 请求处理流程<\/h3>

FilterPipeline处理<\/strong>：使用过滤器链处理每个请求<\/li>
StrutsPrepareAndExecuteFilter<\/strong>：第一个过滤器，负责：

准备请求参数<\/li>
执行控制器方法<\/li>
处理结果<\/li>
清理请求<\/li>
<\/ul>
<\/li>
<\/ol>
2.2 URL获取逻辑<\/h3>
org.apache.struts2.RequestUtils#getUri<\/code>方法逻辑：<\/p>

尝试获取javax.servlet.include.servlet_path<\/code>属性<\/li>
如果为空，使用getServletPath()<\/code><\/li>
如果Servlet路径为空，使用request.getRequestURI()<\/code><\/li>
移除上下文路径获取相对路径<\/li>
<\/ol>
2.3 请求处理核心方法<\/h3>
handleRequest方法<\/strong>：<\/p>

接收HttpServletRequest<\/code>对象<\/li>
根据路径和参数查找对应Action类<\/li>
调用execute<\/code>方法执行业务逻辑<\/li>
<\/ul>
executeStaticResourceRequest方法<\/strong>：<\/p>
public<\/span> boolean<\/span> executeStaticResourceRequest<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> 
<\/span><\/span>    throws<\/span> IOException,<\/span> ServletException {<\/span>
<\/span><\/span>    String resourcePath =<\/span> RequestUtils.<\/span>getServletPath<\/span>(<\/span>request);<\/span>
<\/span><\/span>    if<\/span> (<\/span>""<\/span>.<\/span>equals<\/span>(<\/span>resourcePath)<\/span> &&<\/span> null<\/span> !=<\/span> request.<\/span>getPathInfo<\/span>())<\/span> {<\/span>
<\/span><\/span>        resourcePath =<\/span> request.<\/span>getPathInfo<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    StaticContentLoader staticResourceLoader =<\/span> dispatcher.<\/span>getContainer<\/span>().<\/span>getInstance<\/span>(<\/span>StaticContentLoader.<\/span>class<\/span>);<\/span>
<\/span><\/span>    if<\/span> (<\/span>staticResourceLoader.<\/span>canHandle<\/span>(<\/span>resourcePath))<\/span> {<\/span>
<\/span><\/span>        staticResourceLoader.<\/span>findStaticResource<\/span>(<\/span>resourcePath,<\/span> request,<\/span> response);<\/span>
<\/span><\/span>        return<\/span> true<\/span>;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        return<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.4 静态资源处理<\/h3>
uiStaticContentPath<\/strong>：<\/p>

指定UI静态内容路径（默认"WEB-INF\/struts-ui-static"）<\/li>
cleanupPath<\/code>方法处理路径：<\/li>
<\/ul>
protected<\/span> String cleanupPath<\/span>(<\/span>String path)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>path.<\/span>startsWith<\/span>(<\/span>uiStaticContentPath))<\/span> {<\/span>
<\/span><\/span>        return<\/span> path.<\/span>substring<\/span>(<\/span>uiStaticContentPath.<\/span>length<\/span>());<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        return<\/span> path;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>DefaultStaticContentLoader#findStaticResource<\/strong>：<\/p>

根据请求路径查找静态资源<\/li>
返回包含文件信息的StaticResource<\/code>对象<\/li>
<\/ul>
2.5 路径处理关键点<\/h3>

二次解码URL<\/strong>：<\/li>
<\/ol>
protected<\/span> String buildPath<\/span>(<\/span>String name,<\/span> String packagePrefix)<\/span> throws<\/span> UnsupportedEncodingException {<\/span>
<\/span><\/span>    String resourcePath;<\/span>
<\/span><\/span>    if<\/span> (<\/span>packagePrefix.<\/span>endsWith<\/span>(<\/span>"\/"<\/span>)<\/span> &&<\/span> name.<\/span>startsWith<\/span>(<\/span>"\/"<\/span>))<\/span> {<\/span>
<\/span><\/span>        resourcePath =<\/span> packagePrefix +<\/span> name.<\/span>substring<\/span>(<\/span>1<\/span>);<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        resourcePath =<\/span> packagePrefix +<\/span> name;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> URLDecoder.<\/span>decode<\/span>(<\/span>resourcePath,<\/span> encoding);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
pathPrefixes<\/strong>：<\/li>
<\/ol>
org\/apache\/struts2\/static\/template\/static\/
org\/apache\/struts2\/interceptor\/debugging\/
<\/code><\/pre>
3. 路由映射机制<\/h2>
3.1 ActionMapping<\/h3>

映射HTTP请求到Action类<\/li>
包含信息：

Action类全限定名<\/li>
请求方法<\/li>
请求路径<\/li>
<\/ul>
<\/li>
<\/ul>
3.2 路由查找逻辑<\/h3>
org.apache.struts2.dispatcher.mapper.DefaultActionMapper#getMapping<\/code>：<\/p>

遍历PackageConfig<\/code>配置查找匹配URI<\/li>
获取namespace和actionName<\/li>
URI中斜杠之前的部分不影响路由结果<\/li>
<\/ul>
示例<\/strong>：<\/p>
ActionMapping mapping1 =<\/span> new<\/span> ActionMapping(<\/span>"\/users"<\/span>,<\/span> "users"<\/span>,<\/span> "list"<\/span>);<\/span>
<\/span><\/span>ActionMapping mapping2 =<\/span> new<\/span> ActionMapping(<\/span>"\/users\/{id}"<\/span>,<\/span> "users"<\/span>,<\/span> "show"<\/span>);<\/span>
<\/span><\/span>ActionMapping mapping3 =<\/span> new<\/span> ActionMapping(<\/span>"\/users\/{id}\/edit"<\/span>,<\/span> "users"<\/span>,<\/span> "edit"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>3.3 命名空间处理<\/h3>

默认命名空间是空字符串<\/li>
作为"catch-all"命名空间<\/li>
如果在指定命名空间找不到action配置，会搜索默认命名空间<\/li>
<\/ul>
3.4 ActionProxy<\/h3>

代理对象，封装Action类方法<\/li>
提供execute<\/code>方法<\/li>
执行流程：

查找ActionMapping<\/li>
创建ActionProxy<\/li>
调用拦截器<\/li>
执行Action方法<\/li>
返回ActionResult<\/li>
<\/ol>
<\/li>
<\/ul>
3.5 serviceAction方法<\/h3>
org.apache.struts2.dispatcher.Dispatcher#serviceAction<\/code>：<\/p>

查找ActionMapping<\/li>
通过ActionProxy执行Action<\/li>
处理异常并返回ActionResult<\/li>
<\/ul>
4. 拦截器机制<\/h2>
4.1 Interceptors<\/h3>

每个Action类对应一个ActionInterceptor列表<\/li>
在执行Action前后调用拦截器<\/li>
可对请求和响应进行处理：

添加请求头<\/li>
修改请求参数<\/li>
拦截请求执行<\/li>
<\/ul>
<\/li>
<\/ul>
4.2 setParameters方法<\/h3>

将请求参数绑定到Action类的POJO对象<\/li>
使用OGNL引擎实现参数绑定<\/li>
通过getter\/setter方法完成绑定<\/li>
<\/ul>
5. 漏洞分析（CVE-2023-22518）<\/h2>
5.1 漏洞原理<\/h3>

namespaceActionConfigs<\/code>哈希表包含：

当前package定义的action<\/li>
通过extends<\/code>继承的父package中的action<\/li>
<\/ul>
<\/li>
路由可能指向非预期URL<\/li>
<\/ul>
5.2 配置示例<\/h3>
<package<\/span> name=<\/span>"default"<\/span>><\/pacakge><\/span>
<\/span><\/span><package<\/span> name=<\/span>"setup"<\/span> extends=<\/span>"default"<\/span> namespace=<\/span>"\/setup"<\/span>><\/span>
<\/span><\/span>    <action<\/span> name=<\/span>"setup-restore"<\/span> class=<\/span>"com.atlassian.confluence.importexport.actions.SetupRestoreAction"<\/span>><\/span>
<\/span><\/span>    <\/action><\/span>
<\/span><\/span><\/package><\/span>
<\/span><\/span><package<\/span> name=<\/span>"admin"<\/span> extends=<\/span>"setup"<\/span> namespace=<\/span>"\/admin"<\/span>><\/span>
<\/span><\/span>    <action<\/span> name=<\/span>"console"<\/span> class=<\/span>"com.atlassian.confluence.admin.actions.AdministrationConsoleAction"<\/span> method=<\/span>"doDefault"<\/span>><\/span>
<\/span><\/span>    <\/action><\/span>
<\/span><\/span><\/pacakge><\/span>
<\/span><\/span><package<\/span> name=<\/span>"json"<\/span> extends=<\/span>"admin"<\/span> namespace=<\/span>"\/json"<\/span>><\/pacakge><\/span>
<\/span><\/span><\/code><\/pre>
请求\/json\/console<\/code>会直接指向\/admin\/console<\/code><\/li>
<\/ul>
5.3 补丁分析<\/h3>
@Deprecated<\/span>
<\/span><\/span>@WebSudoRequired<\/span>
<\/span><\/span>@SystemAdminOnly<\/span>
<\/span><\/span>public<\/span> class<\/span> SetupRestoreAction<\/span> extends<\/span> RestoreAction {<\/span>
<\/span><\/span>    \/\/ 添加了权限注解
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>6. 安全建议<\/h2>

及时更新Struts2版本<\/li>
限制静态资源访问<\/li>
谨慎配置package继承关系<\/li>
对敏感操作添加权限控制<\/li>
避免使用开发模式(struts.devMode)生产环境<\/li>
<\/ol>

Struts2框架逻辑概述与漏洞分析<\/h1>

1. Struts2框架概述<\/h2> Struts2是一个基于JavaEE的MVC框架，虽然基于Servlet API，但通过Filter机制实现核心功能。这种设计使Struts2应用更加灵活高效。<\/p>

2. Struts2核心处理逻辑<\/h2>

3. 路由映射机制<\/h2>

4. 拦截器机制<\/h2>

5. 漏洞分析（CVE-2023-22518）<\/h2>

6. 安全建议<\/h2> 及时更新Struts2版本<\/li> 限制静态资源访问<\/li> 谨慎配置package继承关系<\/li> 对敏感操作添加权限控制<\/li> 避免使用开发模式(struts.devMode)生产环境<\/li> <\/ol>

1. Struts2框架概述<\/h2>
Struts2是一个基于JavaEE的MVC框架，虽然基于Servlet API，但通过Filter机制实现核心功能。这种设计使Struts2应用更加灵活高效。<\/p>

6. 安全建议<\/h2>

及时更新Struts2版本<\/li>
限制静态资源访问<\/li>
谨慎配置package继承关系<\/li>
对敏感操作添加权限控制<\/li>
避免使用开发模式(struts.devMode)生产环境<\/li> <\/ol>