jetty 9出于安全原因不想显示stacktraces

mzsu5hc0  于 2021-07-13  发布在  Java
关注(0)|答案(2)|浏览(392)

版本:jetty-9.4.38.v2020224、logging slf4jlog、spring boot v2.4.4、spring v5.3.5。
在我们的代码中执行了pentest,在用curl发送了格式错误的头之后,我们可以获得以下响应,显示stacktrace并显示其使用jetty:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 400 Bad header value for X-Forwarded-Port</title>
</head>
<body><h2>HTTP ERROR 400 Bad header value for X-Forwarded-Port</h2>
<table>
<tr><th>URI:</th><td>/</td></tr>
<tr><th>STATUS:</th><td>400</td></tr>
<tr><th>MESSAGE:</th><td>Bad header value for X-Forwarded-Port</td></tr>
<tr><th>SERVLET:</th><td>-</td></tr>
<tr><th>CAUSED BY:</th><td>org.eclipse.jetty.http.BadMessageException: 400: Bad header value for X-Forwarded-Port</td></tr>
<tr><th>CAUSED BY:</th><td>java.lang.NumberFormatException: For input string: &quot;zwrtxqvas9lm4kzkw0&quot;</td></tr>
</table>
<h3>Caused by:</h3><pre>org.eclipse.jetty.http.BadMessageException: 400: Bad header value for X-Forwarded-Port
    at org.eclipse.jetty.server.ForwardedRequestCustomizer.onError(ForwardedRequestCustomizer.java:550)
    at org.eclipse.jetty.server.ForwardedRequestCustomizer.customize(ForwardedRequestCustomizer.java:478)
    at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:384)
    at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:279)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
    at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
    at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NumberFormatException: For input string: &quot;zwrtxqvas9lm4kzkw0&quot;
    at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
    at java.lang.Integer.parseInt(Integer.java:580)
    at java.lang.Integer.parseInt(Integer.java:615)
    at org.eclipse.jetty.util.HostPort.parsePort(HostPort.java:171)
    at org.eclipse.jetty.server.ForwardedRequestCustomizer$Forwarded.handleForwardedPort(ForwardedRequestCustomizer.java:856)
    at org.eclipse.jetty.server.ForwardedRequestCustomizer.customize(ForwardedRequestCustomizer.java:473)
    ... 15 more
</pre>

</body>
</html>

以前为了不公开jetty版本,我禁用了sendserverversion,但是没有找到任何配置来禁用stacktraces。

@Configuration
public class JettyConfiguration implements WebServerFactoryCustomizer<JettyServletWebServerFactory> {

    @Override
    public void customize(JettyServletWebServerFactory factory) {

        factory.addServerCustomizers(server -> {

            /* StatisticsHandler needed for graceful shutdown */
            StatisticsHandler statisticsHandler = new StatisticsHandler();
            statisticsHandler.setHandler(server.getHandler());
            server.setHandler(statisticsHandler);

            /* Autoforwarded Configuration */
            for (Connector connector : server.getConnectors()) {
                ConnectionFactory connectionFactory = connector.getDefaultConnectionFactory();
                if (connectionFactory instanceof HttpConnectionFactory) {
                    HttpConnectionFactory defaultConnectionFactory = (HttpConnectionFactory) connectionFactory;
                    HttpConfiguration httpConfiguration = defaultConnectionFactory.getHttpConfiguration();
                    httpConfiguration.setSendServerVersion(false);
                    httpConfiguration.addCustomizer(new ForwardedRequestCustomizer());
                }
            }

        });

    }

}

禁用堆栈跟踪的最佳方法是什么?短暂性脑缺血发作

springjetty-9

2条答案

按热度按时间
6gpjuf90

6gpjuf901#

jetty作为大多数web服务器将提供一个默认的异常处理程序。如果您不喜欢默认的异常处理程序,那么注册您的异常处理程序。
只需为runntimeexception提供一个exceptionhandler并提供一个常规错误。例如,后端失败,请稍后再试,状态为500。
有很多关于如何在spring中实现异常处理程序的文章。我加了一个仅供参考
异常处理spring boot

赞(0)分享  回复(0)举报  2021-07-13
mkshixfv

mkshixfv2#

首先尝试通过使用@controlleradvice实现一个globalexceptionhandler来解决这个问题,不幸的是这似乎没有被触发,我相信这与它意味着mvc抛出的异常有关。
笔测试程序创建的请求使用了格式错误的头,因此错误由errorhandler抛出,我最终创建了自己的errorhandler并重写了handle方法。
这似乎做的诀窍,但可能太严格,我担心这将使困难的调试在未来。有什么建议或改进吗?谢谢

import org.eclipse.jetty.server.*;
import org.eclipse.jetty.server.handler.ErrorHandler;
import org.springframework.boot.web.embedded.jetty.JettyServerCustomizer;
import org.springframework.boot.web.embedded.jetty.JettyServletWebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Configuration;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Configuration
public class JettyConfiguration implements WebServerFactoryCustomizer<JettyServletWebServerFactory> {

    @Override
    public void customize(JettyServletWebServerFactory factory) {

        JettyServerCustomizer customizer = server -> {
            MyErrorHandler myErrorHandler = new MyErrorHandler();
            myErrorHandler.setShowStacks(false);
            myErrorHandler.setShowMessageInTitle(false);
            myErrorHandler.setShowServlet(false);
            server.setErrorHandler(myErrorHandler);
        };
        factory.addServerCustomizers(customizer);

        factory.addServerCustomizers(server -> {

            /* Autoforwarded Configuration */
            for (Connector connector : server.getConnectors()) {
                ConnectionFactory connectionFactory = connector.getDefaultConnectionFactory();
                if (connectionFactory instanceof HttpConnectionFactory) {
                    HttpConnectionFactory defaultConnectionFactory = (HttpConnectionFactory) connectionFactory;
                    HttpConfiguration httpConfiguration = defaultConnectionFactory.getHttpConfiguration();
                    httpConfiguration.setSendServerVersion(false);
                    httpConfiguration.addCustomizer(new ForwardedRequestCustomizer());
                }
            }

        });

    }

    static class MyErrorHandler extends ErrorHandler {

        @Override
        public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
        {
            //doError(target, baseRequest, request, response);
        }

    }

}
赞(0)分享  回复(0)举报  2021-07-13
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com