fix: 调整 Json 字段获取方式以修复由于可选字段不存在导致加载失败的问题.

当 keyPassword 为 null 时, 由于类型检查漏洞, 会出现解析失败的问题.
2025-04-29 14:17:34 +00:00 · 2021-08-20 14:00:40 +08:00 · 2021-08-20 14:00:40 +08:00 · 0dc44864cd
commit 0dc44864cd
parent 6bd28909ae
1 changed files with 18 additions and 7 deletions
--- a/src/main/java/net/lamgc/oracle/sentry/oci/compute/ssh/SshAuthInfoSerializer.java
+++ b/src/main/java/net/lamgc/oracle/sentry/oci/compute/ssh/SshAuthInfoSerializer.java
@ -1,5 +1,6 @@
 package net.lamgc.oracle.sentry.oci.compute.ssh;

+import com.google.common.base.Strings;
 import com.google.gson.*;
 import org.apache.sshd.common.config.keys.KeyUtils;
 import org.apache.sshd.common.config.keys.PublicKeyEntry;
@ -49,19 +50,22 @@ public final class SshAuthInfoSerializer implements JsonSerializer<SshAuthInfo>,
            String privateKeyPath = getFieldToStringOrFail(infoObject, "privateKeyPath");
            File privateKeyFile = new File(privateKeyPath);
            publicKeyInfo.setPrivateKeyPath(privateKeyFile);
-            publicKeyInfo.setKeyPassword(getFieldToStringOrFail(infoObject, "keyPassword"));
+            publicKeyInfo.setKeyPassword(getFieldToString(infoObject, "keyPassword"));
            info = publicKeyInfo;
        } else {
            throw new JsonParseException("Unsupported authentication type: " + authType);
        }
        info.setUsername(getFieldToStringOrFail(infoObject, "username"));
-        try {
-            if (infoObject.has("serverKey") && infoObject.get("serverKey").isJsonPrimitive()) {
-                info.setServerKey(decodeSshPublicKey(infoObject.get("serverKey").getAsString()));
+        String serverKeyStr = getFieldToString(infoObject, "serverKey");
+        if (!Strings.isNullOrEmpty(serverKeyStr)) {
+            try {
+                info.setServerKey(decodeSshPublicKey(serverKeyStr));
+            } catch (GeneralSecurityException | IOException e) {
+                info.setServerKey(null);
+                log.error("解析 ServerKey 时发生错误, 该 ServerKey 将为空.(后续连接需进行首次连接认证.)", e);
            }
-        } catch (GeneralSecurityException | IOException e) {
+        } else {
            info.setServerKey(null);
-            log.error("解析 ServerKey 时发生错误, 该 ServerKey 将为空.(后续连接需进行首次连接认证.)", e);
        }
        return info;
    }
@ -93,12 +97,19 @@ public final class SshAuthInfoSerializer implements JsonSerializer<SshAuthInfo>,
    }

    private String getFieldToStringOrFail(JsonObject object, String field) {
-        if (!object.has(field)) {
+        if (!object.has(field) || !object.get(field).isJsonPrimitive()) {
            throw new JsonParseException("Missing field: " + field);
        }
        return object.get(field).getAsString();
    }

+    private String getFieldToString(JsonObject object, String field) {
+        if (!object.has(field) || !object.get(field).isJsonPrimitive()) {
+            return null;
+        }
+        return object.get(field).getAsString();
+    }
+
    private PublicKey decodeSshPublicKey(String publicKeyString) throws GeneralSecurityException, IOException {
        String[] strings = publicKeyString.split(" ", 3);