0x00 Product Introduction
Config-Server
and Config-Client
two roles. Wherein Config-Server may be configured to acquire a variety of sources disposed, as seen from git, svn, native like.
Where the first red box, https://github.com/spring-cloud/spring-cloud-config/commit/651f458919c40ef9a5e93e7d76bf98575910fad0
In the test code below some additions and changes, which findOne function on the inside of the payload once CVE-2019-3799 test code, test codes have been additions and changes must be done to change this loophole once, the focus of notes used here It is native local repository configuration
According to the above analysis, try to configure sping-cloud-config-server repository local repository during authentication
The variation of resolveName resolveLabel and try to break the @RequestMapping ( "/ {name} / {profile} / {label} / **")
In tracking function to GenericResourceRepository findOne
Changes github commit contrast, the new location of a judge
Guess this.service.getLocations in a problem, continue to follow up
Continue to follow up getLocations, the program jumps org.springframework.cloud.config.server.environment.NativeEnvironmentRepository getLocations method
The label is true with the location directly at addLableLocations property stitching, to determine whether a directory exists, there is then added to the output array, and finally pass into the Locations object is returned, it is clear that this is the problem
In connection with the previous resolveLable retrieve the label in process (_) is replaced by /, which can be configured to find out the payload of
The key point made it clear that, after subsequent testing, payload structure is as follows:
payload
1 doubt: according to the test directory, the directory should be a two-jump to the root of why there by a three-jump?
See FileUrlResource in first with createRelcativeURL been processed
Continue to follow up, to deal with the URL found
Follow internal, found parseURL strips the first /../, so the actual time to jump catalog of more than passing
Doubt 2: Why not obtain the file without a suffix?
See retrieve function in the operation to get the file back content, "StringUtils.getFilenameExtension (resource.getFilename ()) toLowerCase ();.", Try to get a suffix, because there is no suffix returns null, null object do toLowerCase abnormal operation, and then to do because there is no exception caught, causing the program to exit
When subsequent official patch vulnerabilities as well say this to bug fixes, https://github.com/spring-cloud/spring-cloud-config/commit/740153b5aa74d960116f28be9c755e3b7debd2a2