Java Web安全：getRequestURL与getRequestURI导致的鉴权绕过分析<\/h1>

概述<\/h2>
本文详细分析Java Web应用中由于使用`getRequestURL()<\/code>和getRequestURI()<\/code>方法获取请求路径而可能导致的安全鉴权绕过问题。通过对比不同URL获取方法的差异，解释攻击者如何利用这些差异绕过安全控制，并提供防御建议。<\/p>`

URL获取方法对比<\/h2>
Java Servlet API提供了几种获取请求URL的方法，它们在处理特殊字符时表现不同：<\/p>


getRequestURI()<\/strong><\/p>

返回请求的URI部分（不包括协议、主机和端口）<\/li>
示例：对于http:\/\/example.com\/path\/index.html;.css<\/code>，返回\/path\/index.html;.css<\/code><\/li>
特点：包含特殊字符如分号、点号等<\/li>
<\/ul>
<\/li>

getRequestURL()<\/strong><\/p>

返回完整的请求URL（包括协议、主机和端口，但不包括查询字符串）<\/li>
示例：对于上述请求，返回http:\/\/example.com\/path\/index.html;.css<\/code><\/li>
特点：同样包含特殊字符<\/li>
<\/ul>
<\/li>

getServletPath()<\/strong><\/p>

返回映射到Servlet的路径部分<\/li>
示例：对于上述请求，可能返回\/path\/index.html<\/code><\/li>
特点：通常不包含特殊字符，更"干净"<\/li>
<\/ul>
<\/li>
<\/ol>
安全绕过原理<\/h2>
1. 基于后缀的鉴权绕过<\/h3>
常见漏洞场景：过滤器检查URL是否以特定后缀（如.css<\/code>、.js<\/code>）结尾来决定是否放行请求。<\/p>
漏洞代码示例：<\/strong><\/p>
String requestURL =<\/span> req.<\/span>getRequestURI<\/span>();<\/span>
<\/span><\/span>if<\/span> (<\/span>requestURL.<\/span>endsWith<\/span>(<\/span>".css"<\/span>))<\/span> {<\/span>
<\/span><\/span>    chain.<\/span>doFilter<\/span>(<\/span>request,<\/span>response);<\/span>
<\/span><\/span>}<\/span> else<\/span> {<\/span>
<\/span><\/span>    \/\/ 拒绝访问
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过方法：<\/strong><\/p>

在URL后添加;.css<\/code>：\/protected\/resource;.css<\/code><\/li>
添加\/.css<\/code>：\/protected\/resource\/.css<\/code><\/li>
添加%2e.css<\/code>：\/protected\/resource%2e.css<\/code><\/li>
<\/ul>
2. 基于路径前缀的鉴权绕过<\/h3>
当过滤器检查URL是否以特定路径开头时：<\/p>
漏洞代码示例：<\/strong><\/p>
if<\/span> (<\/span>requestURL.<\/span>startsWith<\/span>(<\/span>"\/css"<\/span>))<\/span> {<\/span>
<\/span><\/span>    chain.<\/span>doFilter<\/span>(<\/span>request,<\/span>response);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过方法：<\/strong><\/p>

使用路径遍历：\/css\/..\/protected\/resource<\/code><\/li>
URL编码：\/%63ss\/protected\/resource<\/code><\/li>
<\/ul>
3. equals与endsWith\/startsWith的区别<\/h3>

equals<\/strong>：严格匹配整个字符串，难以绕过<\/li>
endsWith\/startsWith<\/strong>：只检查结尾\/开头部分，容易通过添加特殊字符绕过<\/li>
indexOf<\/strong>：检查字符串中是否包含特定子串，同样容易绕过<\/li>
<\/ul>
实际案例分析<\/h2>
案例1：SQL注入过滤器绕过<\/h3>
某系统使用getRequestURL()<\/code>获取路径并检查是否包含特定关键词来过滤SQL注入：<\/p>
String requestURL =<\/span> req.<\/span>getRequestURL<\/span>().<\/span>toString<\/span>();<\/span>
<\/span><\/span>if<\/span> (<\/span>requestURL.<\/span>indexOf<\/span>(<\/span>"select"<\/span>)<\/span> !=<\/span> -<\/span>1<\/span>)<\/span> {<\/span>
<\/span><\/span>    \/\/ 阻止请求
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过方法<\/strong>：在URL中添加;select<\/code>等特殊字符，使indexOf<\/code>检查失效。<\/p>
案例2：Spring框架认证绕过<\/h3>
某Spring应用配置了对.js<\/code>和.css<\/code>文件的免认证访问：<\/p>
<security:http<\/span> pattern=<\/span>"\/**.js"<\/span> security=<\/span>"none"<\/span>\/><\/span>
<\/span><\/span><security:http<\/span> pattern=<\/span>"\/**.css"<\/span> security=<\/span>"none"<\/span>\/><\/span>
<\/span><\/span><\/code><\/pre>绕过方法<\/strong>：访问\/admin\/page;.js<\/code>可能绕过认证检查。<\/p>
防御建议<\/h2>


使用getServletPath()代替getRequestURL()\/getRequestURI()<\/strong><\/p>

getServletPath()<\/code>返回的路径通常已经过规范化处理，不包含特殊字符<\/li>
<\/ul>
<\/li>

规范化路径后再检查<\/strong><\/p>

使用normalize()<\/code>方法处理路径<\/li>
示例：
String path =<\/span> request.<\/span>getServletPath<\/span>();<\/span>
<\/span><\/span>path =<\/span> new<\/span> File(<\/span>path).<\/span>getCanonicalPath<\/span>();<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

严格匹配而非部分匹配<\/strong><\/p>

尽可能使用equals()<\/code>而非endsWith()<\/code>或startsWith()<\/code><\/li>
如需使用部分匹配，应先规范化路径<\/li>
<\/ul>
<\/li>

结合多种检查方法<\/strong><\/p>

同时检查getServletPath()<\/code>和getRequestURI()<\/code><\/li>
验证路径是否符合预期格式<\/li>
<\/ul>
<\/li>

使用框架提供的安全机制<\/strong><\/p>

Spring Security等框架提供了更安全的路径匹配机制<\/li>
<\/ul>
<\/li>
<\/ol>
示例代码<\/h2>
安全过滤器实现<\/h3>
public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response,<\/span>
<\/span><\/span>    FilterChain chain)<\/span> throws<\/span> ServletException,<\/span> IOException {<\/span>
<\/span><\/span>    
<\/span><\/span>    HttpServletRequest req =<\/span> (<\/span>HttpServletRequest)<\/span> request;<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 安全方式1：使用getServletPath()
<\/span><\/span><\/span><\/span>    String servletPath =<\/span> req.<\/span>getServletPath<\/span>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>"\/allowed\/path"<\/span>.<\/span>equals<\/span>(<\/span>servletPath))<\/span> {<\/span>
<\/span><\/span>        chain.<\/span>doFilter<\/span>(<\/span>request,<\/span> response);<\/span>
<\/span><\/span>        return<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 安全方式2：规范化路径
<\/span><\/span><\/span><\/span>    String requestURI =<\/span> req.<\/span>getRequestURI<\/span>();<\/span>
<\/span><\/span>    String normalizedPath =<\/span> Paths.<\/span>get<\/span>(<\/span>requestURI).<\/span>normalize<\/span>().<\/span>toString<\/span>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>"\/allowed\/normalized"<\/span>.<\/span>equals<\/span>(<\/span>normalizedPath))<\/span> {<\/span>
<\/span><\/span>        chain.<\/span>doFilter<\/span>(<\/span>request,<\/span> response);<\/span>
<\/span><\/span>        return<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 拒绝访问
<\/span><\/span><\/span><\/span>    response.<\/span>sendError<\/span>(<\/span>HttpServletResponse.<\/span>SC_FORBIDDEN<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>web.xml配置<\/h3>
<filter><\/span>
<\/span><\/span>    <filter-name><\/span>SecurityFilter<\/filter-name><\/span>
<\/span><\/span>    <filter-class><\/span>com.example.SecurityFilter<\/filter-class><\/span>
<\/span><\/span><\/filter><\/span>
<\/span><\/span><filter-mapping><\/span>
<\/span><\/span>    <filter-name><\/span>SecurityFilter<\/filter-name><\/span>
<\/span><\/span>    <url-pattern><\/span>\/*<\/url-pattern><\/span>
<\/span><\/span><\/filter-mapping><\/span>
<\/span><\/span><\/code><\/pre>总结<\/h2>
Java Web应用中，使用getRequestURL()<\/code>和getRequestURI()<\/code>方法获取请求路径可能导致安全鉴权被绕过，因为：<\/p>

这些方法返回的路径包含特殊字符<\/li>
与endsWith()<\/code>、startsWith()<\/code>或indexOf()<\/code>等方法结合使用时容易产生逻辑漏洞<\/li>
攻击者可以通过添加特殊字符(;<\/code>, .<\/code>, \/<\/code>等)绕过检查<\/li>
<\/ol>
最佳实践<\/strong>：<\/p>

优先使用getServletPath()<\/code>获取路径<\/li>
必须使用getRequestURI()<\/code>时应先规范化路径<\/li>
避免仅依赖部分字符串匹配进行安全决策<\/li>
结合多种检查方法提高安全性<\/li>
<\/ul>
通过正确理解这些方法的差异并采用防御性编程技术，可以有效防止此类安全绕过问题。<\/p>