Nacos 1.4.1 之前存在鑑權漏洞,建議修復到最新版

語言: CN / TW / HK

Nacos 1.4.1 之前存在鑑權漏洞,建議修復到最新版

nacos.core.auth.enabled=true 

開啟鑑權得情況下,新增請求引數,可以獲取到資訊

Nacos 1.4.1 之前存在鑑權漏洞,建議修復到最新版

1.4.1

nacos.core.auth.enabled=true

### Since 1.4.1, Turn on/off white auth for user-agent: nacos-server, only for upgrade from old version.
nacos.core.auth.enable.userAgentAuthWhite=false

### Since 1.4.1, worked when nacos.core.auth.enabled=true and nacos.core.auth.enable.userAgentAuthWhite=false.
### The two properties is the white list for auth and used by identity the request from other server.
nacos.core.auth.server.identity.key=aaa
nacos.core.auth.server.identity.value=bbb

請求url得時候 帶上 

key :         value

Nacos 1.4.1 之前存在鑑權漏洞,建議修復到最新版

sdk-go

需要新增 使用者密碼,才能獲取到資訊

package main

import (
    "fmt"
    "github.com/nacos-group/nacos-sdk-go/clients"
    "github.com/nacos-group/nacos-sdk-go/common/constant"
    "github.com/nacos-group/nacos-sdk-go/vo"
)

func main()  {

    clientConfig := constant.ClientConfig{

        TimeoutMs:           5000,
        NotLoadCacheAtStart: true,
        RotateTime:          "1h",
        MaxAge:              3,
        LogLevel:            "debug",
        Username:           "nacos",
        Password:           "nacos",
    }

    // 至少一個ServerConfig
    serverConfigs := []constant.ServerConfig{
        {
            IpAddr:      "192.168.100.100",
            ContextPath: "/nacos",
            Port:        8848,
            Scheme:      "http",
        },
    }
    // 建立動態配置客戶端的另一種方式 (推薦)
    configClient, _ := clients.NewConfigClient(
        vo.NacosClientParam{
            ClientConfig:  &clientConfig,
            ServerConfigs: serverConfigs,
        },
    )
    content, _ := configClient.GetConfig(vo.ConfigParam{
        DataId: "1",
        Group:  "DEFAULT_GROUP"})

    fmt.Println(content)

}