refactor: 增强验证csrftoken

2021-03-26 18:38:16 +08:00 · 2021-03-26 18:38:16 +08:00 · 4214e63b71
parent 9bfaf7588e
commit 4214e63b71
3 changed files with 10 additions and 3 deletions
--- a/backend/src/main/java/io/metersphere/commons/user/SessionUser.java
+++ b/backend/src/main/java/io/metersphere/commons/user/SessionUser.java
@ -1,6 +1,7 @@
 package io.metersphere.commons.user;

 import io.metersphere.commons.utils.CodingUtil;
+import io.metersphere.commons.utils.SessionUtils;
 import io.metersphere.dto.UserDTO;
 import lombok.Getter;
 import lombok.Setter;
@ -28,7 +29,7 @@ public class SessionUser extends UserDTO implements Serializable {
        SessionUser sessionUser = new SessionUser();
        BeanUtils.copyProperties(user, sessionUser);

-        List<String> infos = Arrays.asList(user.getId(), RandomStringUtils.random(6), "" + System.currentTimeMillis());
+        List<String> infos = Arrays.asList(user.getId(), RandomStringUtils.randomAlphabetic(6), SessionUtils.getSessionId(), "" + System.currentTimeMillis());
        sessionUser.csrfToken = CodingUtil.aesEncrypt(StringUtils.join(infos, "|"), secret, iv);
        return sessionUser;
    }
--- a/backend/src/main/java/io/metersphere/commons/utils/SessionUtils.java
+++ b/backend/src/main/java/io/metersphere/commons/utils/SessionUtils.java
@ -10,7 +10,6 @@ import org.apache.shiro.subject.support.DefaultSubjectContext;

 import java.util.Collection;
 import java.util.Objects;
-import java.util.Optional;

 import static io.metersphere.commons.constants.SessionConstants.ATTR_USER;

@ -32,6 +31,10 @@ public class SessionUtils {
        }
    }

+    public static String getSessionId() {
+        return (String) SecurityUtils.getSubject().getSession().getId();
+    }
+
    private static Session getSessionByUsername(String username) {
        DefaultSessionManager sessionManager = CommonBeanFactory.getBean(DefaultSessionManager.class);
        Collection<Session> sessions = sessionManager.getSessionDAO().getActiveSessions();
--- a/backend/src/main/java/io/metersphere/security/CsrfFilter.java
+++ b/backend/src/main/java/io/metersphere/security/CsrfFilter.java
@ -71,11 +71,14 @@ public class CsrfFilter extends AnonymousFilter {
        csrfToken = CodingUtil.aesDecrypt(csrfToken, SessionUser.secret, SessionUser.iv);

        String[] signatureArray = StringUtils.split(StringUtils.trimToNull(csrfToken), "|");
-        if (signatureArray.length != 3) {
+        if (signatureArray.length != 4) {
            throw new RuntimeException("invalid token");
        }
        if (!StringUtils.equals(SessionUtils.getUserId(), signatureArray[0])) {
            throw new RuntimeException("Please check csrf token.");
        }
+        if (!StringUtils.equals(SessionUtils.getSessionId(), signatureArray[2])) {
+            throw new RuntimeException("Please check csrf token.");
+        }
    }
 }