判断nonce和时间戳有效

148b3928 · 以墨为白 · ded60957 · 148b3928 · 148b3928 · 148b3928
Commit 148b3928 authored Jan 09, 2025 by 以墨为白 🎧
3 changed files
--- a/src/main/java/com/zksy/szpt/filter/SignatureVerificationFilter.java
+++ b/src/main/java/com/zksy/szpt/filter/SignatureVerificationFilter.java
@@ -11,6 +11,7 @@ import com.zksy.szpt.domain.HttpResultState;
 import com.zksy.szpt.domain.po.AppStore;
 import com.zksy.szpt.service.AppStoreService;
 import com.zksy.szpt.util.EncryptUtil;
+import com.zksy.szpt.util.RedisKeyValidator;
 import com.zksy.szpt.util.SignatureUtil;
 import com.zksy.szpt.util.UserContextHolder;
 import org.slf4j.Logger;
@@ -83,6 +84,16 @@ public class SignatureVerificationFilter extends OncePerRequestFilter {
            return false;
        }

+        // 验证nonce和timestamp合法性
+        if (!RedisKeyValidator.isValidString(nonce)) {
+            this.write(response, "不是合法的由数字和字母以及下划线组成的nonce：" + nonce);
+            return false;
+        }
+        if (!RedisKeyValidator.isValidTimestamp(timestampStr)) {
+            this.write(response, "不是合法的十位秒级时间戳timestamp：" + timestampStr);
+            return false;
+        }
+
        // timestamp 10分钟内有效
        long timestamp = Long.parseLong(timestampStr);
        long currentTimestamp = System.currentTimeMillis() / 1000;

--- a/src/main/java/com/zksy/szpt/util/RedisKeyValidator.java
+++ b/src/main/java/com/zksy/szpt/util/RedisKeyValidator.java
+package com.zksy.szpt.util;
+
+import java.util.regex.Pattern;
+
+public class RedisKeyValidator {
+    private static final String INVALID_CHARACTERS = "[\\x00\\x20\\x0A\\x0D\\x09]";  // 常见的无效字符
+
+    public static boolean isValidKey(String key) {
+        if (key == null || key.isEmpty()) {
+            return false;
+        }
+        return !key.matches(INVALID_CHARACTERS);
+    }
+
+    /**
+     *
+     * @param str
+     * @return
+     */
+    public static boolean isValidString(String str) {
+        // 定义正则表达式，匹配字母、数字和下划线
+        String regex = "\\w+";
+        return Pattern.matches(regex, str);
+    }
+
+    /**
+     * 检查是否为有效的秒级时间戳
+     * @param timestamp
+     * @return
+     */
+    public static boolean isValidTimestamp(String timestamp) {
+        // 检查是否为数字
+        if (!timestamp.matches("\\d+")) {
+            return false;
+        }
+        // 检查长度是否为10位（秒）
+        return timestamp.length() == 10;
+    }
+
+}
--- a/src/test/java/com/zksy/szpt/MainTest.java
+++ b/src/test/java/com/zksy/szpt/MainTest.java
@@ -29,7 +29,7 @@ public class MainTest {
    String nonce = "2";
    String timestampStr = "21";
    String appId = "1872576325743943682";
-    String appSecret = "21";
+    String appSecret = "2";


    @Resource