From f33e585a71e9f3d1b019fde40fb25f5acd12aad5 Mon Sep 17 00:00:00 2001
From: zengqiao <zengqiao@didiglobal.com>
Date: Thu, 4 Mar 2021 17:51:35 +0800
Subject: [PATCH] reject req when uri contains ..

---
 .../kafka/manager/account/impl/LoginServiceImpl.java         | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java
index 142dd239..591768fb 100644
--- a/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java
+++ b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java
@@ -65,6 +65,11 @@ public class LoginServiceImpl implements LoginService {
     @Override
     public boolean checkLogin(HttpServletRequest request, HttpServletResponse response) {
         String uri = request.getRequestURI();
+        if (uri.contains("..")) {
+            LOGGER.error("class=LoginServiceImpl||method=checkLogin||msg=uri illegal||uri={}", uri);
+            return false;
+        }
+
         if (!(uri.contains(ApiPrefix.API_V1_NORMAL_PREFIX)
                 || uri.contains(ApiPrefix.API_V1_RD_PREFIX)
                 || uri.contains(ApiPrefix.API_V1_OP_PREFIX))) {