漏洞扫描

修复trace和track漏洞，在网关层添加代码会在token验证前拦截非法请求

ibps-basis-root/modules/basis-zuul/src/main/java/com/lc/ibps/cloud/gateway/filter/TraceBlockFilter.java

@@ -0,0 +1,49 @@
+package com.lc.ibps.cloud.gateway.filter;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+
+@Component
+public class TraceBlockFilter implements Filter {
+    private static final Logger logger = LoggerFactory.getLogger(TraceBlockFilter.class);
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+            throws IOException, ServletException {
+
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+        String method = httpRequest.getMethod();
+        String requestPath = httpRequest.getRequestURI();
+        //System.out.println(">>>>> 原生过滤器捕获方法: " + method);
+   /*     if ("/health".equals(requestPath) || "/ping".equals(requestPath)) {
+            // 是心跳检查请求
+            chain.doFilter(httpRequest, response);
+            return;
+        }*/
+        logger.warn("TraceBlockFilter.doFilter --warn--请求方法：{}",method);
+        logger.info("TraceBlockFilter.doFilter --info--请求方法：{}",method);
+        if ("TRACE".equalsIgnoreCase(method) || "TRACK".equalsIgnoreCase(method)) {
+            httpResponse.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+            httpResponse.getWriter().write("Method " + method + " is not allowed.");
+            return; // 直接返回，不继续 chain.doFilter
+        }
+
+        chain.doFilter(request, response);
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+}