REPORT-72595 FR源码中存在加密密钥硬编码，建议放到配置文件中

2 years ago · 6a0820c9e8
2 changed files with 20 additions and 3 deletions
--- a/designer-base/src/main/java/com/fr/design/login/utils/DesignerLoginUtils.java
+++ b/designer-base/src/main/java/com/fr/design/login/utils/DesignerLoginUtils.java
@ -9,12 +9,16 @@ import com.fr.general.http.HttpToolbox;
 import com.fr.general.log.MessageFormatter;
 import com.fr.json.JSONObject;
 import com.fr.log.FineLoggerFactory;
+import com.fr.security.encryption.storage.keys.DefaultKeys;
 import com.fr.stable.StringUtils;
 import com.fr.third.org.bouncycastle.util.encoders.Hex;
 import java.awt.Window;
+import java.io.IOException;
+import java.io.InputStream;
 import java.security.SecureRandom;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Properties;
 import javax.crypto.Cipher;
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
@ -28,8 +32,6 @@ public class DesignerLoginUtils {

    private static final String PRODUCT_FINEREPORT = "product-finereport";

-    private static final String KEY = "i7hP48WAcuTrmxfN";
-
    public static Map<String, String> renderMap() {
        Map<String, String> map4Tpl = new HashMap<>();
        map4Tpl.put("language", GeneralContext.getLocale().toString());
@ -85,8 +87,11 @@ public class DesignerLoginUtils {
        jo.put("uid", manager.getDesignerLoginUid());
        jo.put("username", manager.getDesignerLoginUsername());
        jo.put("source", PRODUCT_FINEREPORT);
+
+        Properties properties = read("/default");
+
        byte[] iv = randomIv();
-        return new String(Hex.encode(iv)) + encrypt(jo.toString(), KEY.getBytes(), iv);
+        return new String(Hex.encode(iv)) + encrypt(jo.toString(), properties.getProperty("Fine-Designer_Login").getBytes(), iv);
    }

    private static byte[] randomIv() {
@ -105,4 +110,15 @@ public class DesignerLoginUtils {
        byte[] resultBytes = cipher.doFinal(content.getBytes());
        return new String(Hex.encode(resultBytes));
    }
+
+    private static Properties read(String fileName) {
+        fileName = "com/fr/design/config" + fileName;
+        Properties properties = new Properties();
+        try (InputStream inputStream = DefaultKeys.class.getClassLoader().getResourceAsStream(fileName)){
+            properties.load(inputStream);
+        } catch (IOException e) {
+            FineLoggerFactory.getLogger().error(e.getMessage(), e);
+        }
+        return properties;
+    }
 }
--- a/designer-base/src/main/resources/com/fr/design/config/default
+++ b/designer-base/src/main/resources/com/fr/design/config/default
@ -0,0 +1 @@
+Fine-Designer_Login=i7hP48WAcuTrmxfN