fix a secure issue

Signed-off-by: yxxhero <aiopsclub@163.com>
2021-08-11 20:03:57 +08:00 · 2021-08-11 20:03:57 +08:00 · 7ab0d0e8a1
parent 4b047497bb
commit 7ab0d0e8a1
2 changed files with 14 additions and 1 deletions
--- a/manager/oauth/oauth.go
+++ b/manager/oauth/oauth.go
@ -10,6 +10,7 @@ import (
 	"strings"

 	"d7y.io/dragonfly/v2/manager/model"
+	"d7y.io/dragonfly/v2/pkg/util/stringutils"
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/oauth2"
 	"gorm.io/gorm"
@ -68,7 +69,7 @@ func (oa *baseOauth2) GetRediectURL(db *gorm.DB) (string, error) {
 }

 func (oa *baseOauth2) AuthCodeURL() string {
-	return oa.Config.AuthCodeURL("state")
+	return oa.Config.AuthCodeURL(stringutils.RandString(5))
 }

 func (oa *baseOauth2) GetOauthUserInfo(token string) (*oauth2User, error) {
--- a/pkg/util/stringutils/string_utils.go
+++ b/pkg/util/stringutils/string_utils.go
@ -18,7 +18,9 @@
 package stringutils

 import (
+	"math/rand"
 	"strings"
+	"time"
 	"unicode"
 )

@ -65,3 +67,13 @@ func Contains(slice []string, ele string) bool {

 	return false
 }
+
+func RandString(len int) string {
+	r := rand.New(rand.NewSource(time.Now().Unix()))
+	bytes := make([]byte, len)
+	for i := 0; i < len; i++ {
+		b := r.Intn(26) + 65
+		bytes[i] = byte(b)
+	}
+	return string(bytes)
+}