From 0dc44864cd384b5aa51f7383f2de6c820dc51ce3 Mon Sep 17 00:00:00 2001 From: LamGC Date: Fri, 20 Aug 2021 14:00:40 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20=E8=B0=83=E6=95=B4=20Json=20=E5=AD=97?= =?UTF-8?q?=E6=AE=B5=E8=8E=B7=E5=8F=96=E6=96=B9=E5=BC=8F=E4=BB=A5=E4=BF=AE?= =?UTF-8?q?=E5=A4=8D=E7=94=B1=E4=BA=8E=E5=8F=AF=E9=80=89=E5=AD=97=E6=AE=B5?= =?UTF-8?q?=E4=B8=8D=E5=AD=98=E5=9C=A8=E5=AF=BC=E8=87=B4=E5=8A=A0=E8=BD=BD?= =?UTF-8?q?=E5=A4=B1=E8=B4=A5=E7=9A=84=E9=97=AE=E9=A2=98.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 当 keyPassword 为 null 时, 由于类型检查漏洞, 会出现解析失败的问题. --- .../compute/ssh/SshAuthInfoSerializer.java | 25 +++++++++++++------ 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/src/main/java/net/lamgc/oracle/sentry/oci/compute/ssh/SshAuthInfoSerializer.java b/src/main/java/net/lamgc/oracle/sentry/oci/compute/ssh/SshAuthInfoSerializer.java index 52ebc40..022635c 100644 --- a/src/main/java/net/lamgc/oracle/sentry/oci/compute/ssh/SshAuthInfoSerializer.java +++ b/src/main/java/net/lamgc/oracle/sentry/oci/compute/ssh/SshAuthInfoSerializer.java @@ -1,5 +1,6 @@ package net.lamgc.oracle.sentry.oci.compute.ssh; +import com.google.common.base.Strings; import com.google.gson.*; import org.apache.sshd.common.config.keys.KeyUtils; import org.apache.sshd.common.config.keys.PublicKeyEntry; @@ -49,19 +50,22 @@ public final class SshAuthInfoSerializer implements JsonSerializer, String privateKeyPath = getFieldToStringOrFail(infoObject, "privateKeyPath"); File privateKeyFile = new File(privateKeyPath); publicKeyInfo.setPrivateKeyPath(privateKeyFile); - publicKeyInfo.setKeyPassword(getFieldToStringOrFail(infoObject, "keyPassword")); + publicKeyInfo.setKeyPassword(getFieldToString(infoObject, "keyPassword")); info = publicKeyInfo; } else { throw new JsonParseException("Unsupported authentication type: " + authType); } info.setUsername(getFieldToStringOrFail(infoObject, "username")); - try { - if (infoObject.has("serverKey") && infoObject.get("serverKey").isJsonPrimitive()) { - info.setServerKey(decodeSshPublicKey(infoObject.get("serverKey").getAsString())); + String serverKeyStr = getFieldToString(infoObject, "serverKey"); + if (!Strings.isNullOrEmpty(serverKeyStr)) { + try { + info.setServerKey(decodeSshPublicKey(serverKeyStr)); + } catch (GeneralSecurityException | IOException e) { + info.setServerKey(null); + log.error("解析 ServerKey 时发生错误, 该 ServerKey 将为空.(后续连接需进行首次连接认证.)", e); } - } catch (GeneralSecurityException | IOException e) { + } else { info.setServerKey(null); - log.error("解析 ServerKey 时发生错误, 该 ServerKey 将为空.(后续连接需进行首次连接认证.)", e); } return info; } @@ -93,12 +97,19 @@ public final class SshAuthInfoSerializer implements JsonSerializer, } private String getFieldToStringOrFail(JsonObject object, String field) { - if (!object.has(field)) { + if (!object.has(field) || !object.get(field).isJsonPrimitive()) { throw new JsonParseException("Missing field: " + field); } return object.get(field).getAsString(); } + private String getFieldToString(JsonObject object, String field) { + if (!object.has(field) || !object.get(field).isJsonPrimitive()) { + return null; + } + return object.get(field).getAsString(); + } + private PublicKey decodeSshPublicKey(String publicKeyString) throws GeneralSecurityException, IOException { String[] strings = publicKeyString.split(" ", 3);