diff --git a/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java b/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java index e661844f49489748acf471f95fe00705a5ae14be..227149493d4025003db292ab83de72ae3c4ac53b 100644 --- a/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java +++ b/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java @@ -56,7 +56,12 @@ public class TrustHostFilter implements Filter { public boolean isNotTrustHost(String host) { // 如果配置了黑名单,优先检查黑名单 if (CollectionUtils.isNotEmpty(ConfigConstants.getNotTrustHostSet())) { - return ConfigConstants.getNotTrustHostSet().contains(host); + // 检查是否有匹配的黑名单规则(支持通配符) + for (String notTrustHost : ConfigConstants.getNotTrustHostSet()) { + if (matchesWithWildcard(host, notTrustHost)) { + return true; + } + } } // 如果配置了白名单,检查是否在白名单中 @@ -66,7 +71,13 @@ public class TrustHostFilter implements Filter { logger.debug("允许所有主机访问(通配符模式): {}", host); return false; } - return !ConfigConstants.getTrustHostSet().contains(host); + + // 检查是否有匹配的白名单规则(支持通配符) + for (String trustHost : ConfigConstants.getTrustHostSet()) { + if (matchesWithWildcard(host, trustHost)) { + return false; + } + } } // 安全加固:默认拒绝所有未配置的主机(防止SSRF攻击) @@ -75,6 +86,24 @@ public class TrustHostFilter implements Filter { return true; } + /** + * 检查主机是否与模式匹配,支持通配符* + * + * @param host 实际主机 + * @param pattern 模式(可能包含通配符*) + * @return 是否匹配 + */ + private boolean matchesWithWildcard(String host, String pattern) { + if (pattern.contains("*")) { + // 将通配符模式转换为正则表达式 + String regex = pattern.replace(".", "\\.").replace("*", ".*"); + return host.matches(regex); + } else { + // 精确匹配 + return host.equals(pattern); + } + } + @Override public void destroy() {