feat: 禁用【TRACE/TRACK】 方法

backend/src/main/java/io/dataease/commons/filter/SqlFilter.java

@@ -5,6 +5,7 @@ import io.dataease.commons.wrapper.XssAndSqlHttpServletRequestWrapper;
 import org.apache.commons.lang3.StringUtils;
 import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.io.*;
 
 
@@ -22,6 +23,13 @@ public class SqlFilter implements Filter {
     @Override
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
 
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+        if ("TRACE".equalsIgnoreCase(httpRequest.getMethod()) || "TRACK".equalsIgnoreCase(httpRequest.getMethod())) {
+            httpResponse.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+            return;
+        }
+
         String method = "GET";
         String param = "";
         XssAndSqlHttpServletRequestWrapper xssRequest = null;