refactor: 增强验证csrftoken

This commit is contained in:
Captain.B 2021-03-26 18:38:16 +08:00
parent 9bfaf7588e
commit 4214e63b71
3 changed files with 10 additions and 3 deletions

View File

@ -1,6 +1,7 @@
package io.metersphere.commons.user; package io.metersphere.commons.user;
import io.metersphere.commons.utils.CodingUtil; import io.metersphere.commons.utils.CodingUtil;
import io.metersphere.commons.utils.SessionUtils;
import io.metersphere.dto.UserDTO; import io.metersphere.dto.UserDTO;
import lombok.Getter; import lombok.Getter;
import lombok.Setter; import lombok.Setter;
@ -28,7 +29,7 @@ public class SessionUser extends UserDTO implements Serializable {
SessionUser sessionUser = new SessionUser(); SessionUser sessionUser = new SessionUser();
BeanUtils.copyProperties(user, sessionUser); BeanUtils.copyProperties(user, sessionUser);
List<String> infos = Arrays.asList(user.getId(), RandomStringUtils.random(6), "" + System.currentTimeMillis()); List<String> infos = Arrays.asList(user.getId(), RandomStringUtils.randomAlphabetic(6), SessionUtils.getSessionId(), "" + System.currentTimeMillis());
sessionUser.csrfToken = CodingUtil.aesEncrypt(StringUtils.join(infos, "|"), secret, iv); sessionUser.csrfToken = CodingUtil.aesEncrypt(StringUtils.join(infos, "|"), secret, iv);
return sessionUser; return sessionUser;
} }

View File

@ -10,7 +10,6 @@ import org.apache.shiro.subject.support.DefaultSubjectContext;
import java.util.Collection; import java.util.Collection;
import java.util.Objects; import java.util.Objects;
import java.util.Optional;
import static io.metersphere.commons.constants.SessionConstants.ATTR_USER; import static io.metersphere.commons.constants.SessionConstants.ATTR_USER;
@ -32,6 +31,10 @@ public class SessionUtils {
} }
} }
public static String getSessionId() {
return (String) SecurityUtils.getSubject().getSession().getId();
}
private static Session getSessionByUsername(String username) { private static Session getSessionByUsername(String username) {
DefaultSessionManager sessionManager = CommonBeanFactory.getBean(DefaultSessionManager.class); DefaultSessionManager sessionManager = CommonBeanFactory.getBean(DefaultSessionManager.class);
Collection<Session> sessions = sessionManager.getSessionDAO().getActiveSessions(); Collection<Session> sessions = sessionManager.getSessionDAO().getActiveSessions();

View File

@ -71,11 +71,14 @@ public class CsrfFilter extends AnonymousFilter {
csrfToken = CodingUtil.aesDecrypt(csrfToken, SessionUser.secret, SessionUser.iv); csrfToken = CodingUtil.aesDecrypt(csrfToken, SessionUser.secret, SessionUser.iv);
String[] signatureArray = StringUtils.split(StringUtils.trimToNull(csrfToken), "|"); String[] signatureArray = StringUtils.split(StringUtils.trimToNull(csrfToken), "|");
if (signatureArray.length != 3) { if (signatureArray.length != 4) {
throw new RuntimeException("invalid token"); throw new RuntimeException("invalid token");
} }
if (!StringUtils.equals(SessionUtils.getUserId(), signatureArray[0])) { if (!StringUtils.equals(SessionUtils.getUserId(), signatureArray[0])) {
throw new RuntimeException("Please check csrf token."); throw new RuntimeException("Please check csrf token.");
} }
if (!StringUtils.equals(SessionUtils.getSessionId(), signatureArray[2])) {
throw new RuntimeException("Please check csrf token.");
}
} }
} }