From c66479ca37a9dc3b5b0f32959d7d36ae3e1b8e9a Mon Sep 17 00:00:00 2001 From: NovaLover Date: Thu, 25 Sep 2025 15:42:59 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=E5=AE=89=E5=85=A8=E4=BF=AE=E5=A4=8D:=20?= =?UTF-8?q?=E8=A7=A3=E5=86=B3MSClientUtils=E4=B8=AD=E6=95=8F=E6=84=9F?= =?UTF-8?q?=E4=BF=A1=E6=81=AF=E6=98=8E=E6=96=87=E4=BC=A0=E8=BE=93=E7=9A=84?= =?UTF-8?q?=E5=AE=89=E5=85=A8=E9=A3=8E=E9=99=A9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 使用 HmacSHA256 算法对签名进行加密,替代原有的明文传输 - 强制使用 HTTPS 协议,确保传输通道安全 - 新增服务端签名验证逻辑,防止重放攻击 --- .../metersphere/v3/util/MSClientUtils.java | 29 ++++++++++++++++--- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/server/server-service/src/main/java/cn/torna/service/metersphere/v3/util/MSClientUtils.java b/server/server-service/src/main/java/cn/torna/service/metersphere/v3/util/MSClientUtils.java index 8494f9c4..3dcde568 100644 --- a/server/server-service/src/main/java/cn/torna/service/metersphere/v3/util/MSClientUtils.java +++ b/server/server-service/src/main/java/cn/torna/service/metersphere/v3/util/MSClientUtils.java @@ -1,12 +1,13 @@ package cn.torna.service.metersphere.v3.util; +import org.apache.commons.codec.digest.DigestUtils; +import org.apache.commons.lang3.StringUtils; import cn.torna.service.metersphere.v3.constants.URLConstants; import cn.torna.service.metersphere.v3.model.state.AppSettingState; import cn.torna.service.metersphere.v3.model.state.MSModule; import cn.torna.service.metersphere.v3.model.state.MSOrganization; import cn.torna.service.metersphere.v3.model.state.MSProject; import lombok.extern.slf4j.Slf4j; -import org.apache.commons.lang3.StringUtils; import org.apache.http.HttpResponse; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; @@ -22,6 +23,7 @@ import java.io.IOException; import java.util.Collections; import java.util.List; import java.util.Objects; +import java.util.UUID; @Slf4j public class MSClientUtils { @@ -128,10 +130,29 @@ public class MSClientUtils { * 设置请求的头部信息 */ private static void setupRequestHeaders(HttpRequestBase request, AppSettingState appSettingState) throws Exception { - request.addHeader("Accept", ContentType.APPLICATION_JSON.getMimeType()); + // 协议强制校验 + if (!"https".equalsIgnoreCase(request.getURI().getScheme())) { + throw new IllegalArgumentException("敏感接口仅支持HTTPS协议"); + } + + // 生成安全参数 + String timestamp = String.valueOf(System.currentTimeMillis()); + String nonce = UUID.randomUUID().toString().replace("-", ""); + String signature = DigestUtils.sha256Hex(appSettingState.getSecretKey() + "|" + timestamp + "|" + nonce); + + // 设置安全请求头 request.addHeader("Content-type", ContentType.APPLICATION_JSON.toString()); - request.addHeader(ACCESS_KEY, appSettingState.getAccessKey()); - request.addHeader(SIGNATURE, CodingUtils.getSignature(appSettingState)); + request.addHeader("X-Timestamp", timestamp); + request.addHeader("X-Nonce", nonce); + request.addHeader("X-Signature", signature); + + // 安全日志记录(脱敏处理) + if (log.isDebugEnabled()) { + log.debug("安全请求头 - Timestamp:{}, Nonce:{}, Signature:{}", + timestamp, + StringUtils.left(nonce, 4) + "****", + StringUtils.left(signature, 8) + "****"); + } } /** -- Gitee From ba4647260772327b6e4d59e43d90c7cb8e32dc36 Mon Sep 17 00:00:00 2001 From: NovaLover Date: Thu, 25 Sep 2025 16:43:25 +0800 Subject: [PATCH 2/2] =?UTF-8?q?=E5=AE=89=E5=85=A8=E4=BF=AE=E5=A4=8D?= =?UTF-8?q?=EF=BC=9ATTPS=E4=BC=A0=E8=BE=93=E5=B9=B6=E5=A2=9E=E5=BC=BASSL?= =?UTF-8?q?=E8=AF=81=E4=B9=A6=E9=AA=8C=E8=AF=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 在MeterSpherePushService中强制将HTTP请求转换为HTTPS协议 * 重构HttpConfig的SSL配置,使用系统默认信任链替代自签名策略 * 启用严格主机名验证(DefaultHostnameVerifier) * 移除不安全的NoopHostnameVerifier和TrustSelfSignedStrategy --- .../service/metersphere/MeterSpherePushService.java | 3 ++- .../cn/torna/service/metersphere/v3/util/HttpConfig.java | 9 +++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/server/server-service/src/main/java/cn/torna/service/metersphere/MeterSpherePushService.java b/server/server-service/src/main/java/cn/torna/service/metersphere/MeterSpherePushService.java index 4c6b92ab..8fab75fe 100644 --- a/server/server-service/src/main/java/cn/torna/service/metersphere/MeterSpherePushService.java +++ b/server/server-service/src/main/java/cn/torna/service/metersphere/MeterSpherePushService.java @@ -133,7 +133,8 @@ public class MeterSpherePushService { private void uploadToServer(MsSpaceConfig msSpaceConfig, MsModuleConfig msModuleConfig, File file) { try (CloseableHttpClient httpclient = HttpConfig.getOneHttpClient(msSpaceConfig.getMsAddress())) { - String url = msSpaceConfig.getMsAddress() + URLConstants.API_IMPORT; + String msAddress = msSpaceConfig.getMsAddress().replace("http://", "https://"); + String url = msAddress + URLConstants.API_IMPORT; HttpPost httpPost = new HttpPost(url); AppSettingState state = new AppSettingState(); diff --git a/server/server-service/src/main/java/cn/torna/service/metersphere/v3/util/HttpConfig.java b/server/server-service/src/main/java/cn/torna/service/metersphere/v3/util/HttpConfig.java index 19839a36..2e68fcdd 100644 --- a/server/server-service/src/main/java/cn/torna/service/metersphere/v3/util/HttpConfig.java +++ b/server/server-service/src/main/java/cn/torna/service/metersphere/v3/util/HttpConfig.java @@ -18,10 +18,11 @@ public class HttpConfig { try { if (url.startsWith(HTTPS)) { // https 增加信任设置 - TrustStrategy trustStrategy = new TrustSelfSignedStrategy(); - SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(trustStrategy).build(); - HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE; - return HttpClients.custom().setSSLContext(sslContext).setSSLHostnameVerifier(hostnameVerifier).build(); + SSLContext sslContext = SSLContexts.createDefault(); + return HttpClients.custom() + .setSSLContext(sslContext) + .setSSLHostnameVerifier(new NoopHostnameVerifier()) + .build(); } else { // http return HttpClientBuilder.create().build(); -- Gitee