LamGC/Oracle-Sentry
1
0
Fork 0
mirror of https://github.com/LamGC/Oracle-Sentry.git synced 2025-04-29 22:27:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: 调整 Json 字段获取方式以修复由于可选字段不存在导致加载失败的问题.

Browse Source 
当 keyPassword 为 null 时, 由于类型检查漏洞, 会出现解析失败的问题.
This commit is contained in:
LamGC 2021-08-20 14:00:40 +08:00
parent 6bd28909ae
commit 0dc44864cd
Signed by: LamGC
GPG Key ID: 6C5AE2A913941E1D
1 changed files with 18 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/main/java/net/lamgc/oracle/sentry/oci/compute/ssh/SshAuthInfoSerializer.java
View File

@ -1,5 +1,6 @@
package net.lamgc.oracle.sentry.oci.compute.ssh; package net.lamgc.oracle.sentry.oci.compute.ssh;
import com.google.common.base.Strings;
import com.google.gson.*; import com.google.gson.*;
import org.apache.sshd.common.config.keys.KeyUtils; import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.config.keys.PublicKeyEntry; import org.apache.sshd.common.config.keys.PublicKeyEntry;
@ -49,20 +50,23 @@ public final class SshAuthInfoSerializer implements JsonSerializer<SshAuthInfo>,
String privateKeyPath = getFieldToStringOrFail(infoObject, "privateKeyPath"); String privateKeyPath = getFieldToStringOrFail(infoObject, "privateKeyPath");
File privateKeyFile = new File(privateKeyPath); File privateKeyFile = new File(privateKeyPath);
publicKeyInfo.setPrivateKeyPath(privateKeyFile); publicKeyInfo.setPrivateKeyPath(privateKeyFile);
publicKeyInfo.setKeyPassword(getFieldToStringOrFail(infoObject, "keyPassword")); publicKeyInfo.setKeyPassword(getFieldToString(infoObject, "keyPassword"));
info = publicKeyInfo; info = publicKeyInfo;
} else { } else {
throw new JsonParseException("Unsupported authentication type: " + authType); throw new JsonParseException("Unsupported authentication type: " + authType);
} }
info.setUsername(getFieldToStringOrFail(infoObject, "username")); info.setUsername(getFieldToStringOrFail(infoObject, "username"));
String serverKeyStr = getFieldToString(infoObject, "serverKey");
if (!Strings.isNullOrEmpty(serverKeyStr)) {
try { try {
if (infoObject.has("serverKey") && infoObject.get("serverKey").isJsonPrimitive()) { info.setServerKey(decodeSshPublicKey(serverKeyStr));
info.setServerKey(decodeSshPublicKey(infoObject.get("serverKey").getAsString()));
}
} catch (GeneralSecurityException | IOException e) { } catch (GeneralSecurityException | IOException e) {
info.setServerKey(null); info.setServerKey(null);
log.error("解析 ServerKey 时发生错误, 该 ServerKey 将为空.(后续连接需进行首次连接认证.)", e); log.error("解析 ServerKey 时发生错误, 该 ServerKey 将为空.(后续连接需进行首次连接认证.)", e);
} }
} else {
info.setServerKey(null);
}
return info; return info;
} }
@ -93,12 +97,19 @@ public final class SshAuthInfoSerializer implements JsonSerializer<SshAuthInfo>,
} }
private String getFieldToStringOrFail(JsonObject object, String field) { private String getFieldToStringOrFail(JsonObject object, String field) {
if (!object.has(field)) { if (!object.has(field) || !object.get(field).isJsonPrimitive()) {
throw new JsonParseException("Missing field: " + field); throw new JsonParseException("Missing field: " + field);
} }
return object.get(field).getAsString(); return object.get(field).getAsString();
} }
private String getFieldToString(JsonObject object, String field) {
if (!object.has(field) || !object.get(field).isJsonPrimitive()) {
return null;
}
return object.get(field).getAsString();
}
private PublicKey decodeSshPublicKey(String publicKeyString) throws GeneralSecurityException, IOException { private PublicKey decodeSshPublicKey(String publicKeyString) throws GeneralSecurityException, IOException {
String[] strings = publicKeyString.split(" ", 3); String[] strings = publicKeyString.split(" ", 3);