You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@streampark.apache.org by GitBox <gi...@apache.org> on 2023/01/08 02:15:59 UTC
[GitHub] [incubator-streampark] github-code-scanning[bot] commented on a diff in pull request #2240: [Improve] maven pom cleanup for apache-release
github-code-scanning[bot] commented on code in PR #2240:
URL: https://github.com/apache/incubator-streampark/pull/2240#discussion_r1064071423
##########
streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/util/EncryptUtils.java:
##########
@@ -17,86 +17,49 @@
package org.apache.streampark.console.base.util;
+import org.apache.commons.codec.digest.DigestUtils;
+
import javax.crypto.Cipher;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
-import java.security.Key;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
public class EncryptUtils {
- private static final String DEFAULT_KEY = "defaultKey";
- private Cipher encryptCipher = null;
- private Cipher decryptCipher = null;
-
- private static String byteArr2HexStr(byte[] arrB) {
- int iLen = arrB.length;
- StringBuilder sb = new StringBuilder(iLen * 2);
- for (byte anArrB : arrB) {
- int intTmp = anArrB;
- while (intTmp < 0) {
- intTmp = intTmp + 256;
- }
- if (intTmp < 16) {
- sb.append("0");
- }
- sb.append(Integer.toString(intTmp, 16));
- }
- return sb.toString();
- }
-
- private static byte[] hexStr2ByteArr(String strIn) {
- byte[] arrB = strIn.getBytes();
- int iLen = arrB.length;
+ private static final String DEFAULT_KEY = DigestUtils.md5Hex("ApacheStreamPark");
- byte[] arrOut = new byte[iLen / 2];
- for (int i = 0; i < iLen; i = i + 2) {
- String strTmp = new String(arrB, i, 2);
- arrOut[i / 2] = (byte) Integer.parseInt(strTmp, 16);
- }
- return arrOut;
- }
+ private static final int offset = 16;
- public EncryptUtils() throws Exception {
- this(DEFAULT_KEY);
- }
+ private static final String ALGORITHM = "AES";
- EncryptUtils(String strKey) throws Exception {
- /*
- * Security.addProvider(new com.sun.crypto.provider.SunJCE());
- */
- Key key = getKey(strKey.getBytes());
-
- encryptCipher = Cipher.getInstance("DES");
- encryptCipher.init(Cipher.ENCRYPT_MODE, key);
-
- decryptCipher = Cipher.getInstance("DES");
- decryptCipher.init(Cipher.DECRYPT_MODE, key);
- }
-
- private byte[] encrypt(byte[] arrB) throws Exception {
- return encryptCipher.doFinal(arrB);
- }
+ private static final String CIPHER_KEY = "AES/CBC/PKCS5Padding";
- String encrypt(String strIn) throws Exception {
- return byteArr2HexStr(encrypt(strIn.getBytes()));
+ public static String encrypt(String content) throws Exception {
+ return encrypt(content, DEFAULT_KEY);
}
- private byte[] decrypt(byte[] arrB) throws Exception {
- return decryptCipher.doFinal(arrB);
+ public static String decrypt(String content) throws Exception {
+ return decrypt(content, DEFAULT_KEY);
}
- String decrypt(String strIn) {
- try {
- return new String(decrypt(hexStr2ByteArr(strIn)));
- } catch (Exception e) {
- return "";
- }
+ public static String encrypt(String content, String key) throws Exception {
+ SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), ALGORITHM);
+ IvParameterSpec ivSpec = new IvParameterSpec(key.getBytes(), 0, offset);
+ Cipher cipher = Cipher.getInstance(CIPHER_KEY);
Review Comment:
## Use of a broken or risky cryptographic algorithm
Cryptographic algorithm [AES/CBC/PKCS5Padding](1) is weak and should not be used.
[Show more details](https://github.com/apache/incubator-streampark/security/code-scanning/9)
##########
streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/util/EncryptUtils.java:
##########
@@ -17,86 +17,49 @@
package org.apache.streampark.console.base.util;
+import org.apache.commons.codec.digest.DigestUtils;
+
import javax.crypto.Cipher;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
-import java.security.Key;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
public class EncryptUtils {
- private static final String DEFAULT_KEY = "defaultKey";
- private Cipher encryptCipher = null;
- private Cipher decryptCipher = null;
-
- private static String byteArr2HexStr(byte[] arrB) {
- int iLen = arrB.length;
- StringBuilder sb = new StringBuilder(iLen * 2);
- for (byte anArrB : arrB) {
- int intTmp = anArrB;
- while (intTmp < 0) {
- intTmp = intTmp + 256;
- }
- if (intTmp < 16) {
- sb.append("0");
- }
- sb.append(Integer.toString(intTmp, 16));
- }
- return sb.toString();
- }
-
- private static byte[] hexStr2ByteArr(String strIn) {
- byte[] arrB = strIn.getBytes();
- int iLen = arrB.length;
+ private static final String DEFAULT_KEY = DigestUtils.md5Hex("ApacheStreamPark");
- byte[] arrOut = new byte[iLen / 2];
- for (int i = 0; i < iLen; i = i + 2) {
- String strTmp = new String(arrB, i, 2);
- arrOut[i / 2] = (byte) Integer.parseInt(strTmp, 16);
- }
- return arrOut;
- }
+ private static final int offset = 16;
- public EncryptUtils() throws Exception {
- this(DEFAULT_KEY);
- }
+ private static final String ALGORITHM = "AES";
- EncryptUtils(String strKey) throws Exception {
- /*
- * Security.addProvider(new com.sun.crypto.provider.SunJCE());
- */
- Key key = getKey(strKey.getBytes());
-
- encryptCipher = Cipher.getInstance("DES");
- encryptCipher.init(Cipher.ENCRYPT_MODE, key);
-
- decryptCipher = Cipher.getInstance("DES");
- decryptCipher.init(Cipher.DECRYPT_MODE, key);
- }
-
- private byte[] encrypt(byte[] arrB) throws Exception {
- return encryptCipher.doFinal(arrB);
- }
+ private static final String CIPHER_KEY = "AES/CBC/PKCS5Padding";
- String encrypt(String strIn) throws Exception {
- return byteArr2HexStr(encrypt(strIn.getBytes()));
+ public static String encrypt(String content) throws Exception {
+ return encrypt(content, DEFAULT_KEY);
}
- private byte[] decrypt(byte[] arrB) throws Exception {
- return decryptCipher.doFinal(arrB);
+ public static String decrypt(String content) throws Exception {
+ return decrypt(content, DEFAULT_KEY);
}
- String decrypt(String strIn) {
- try {
- return new String(decrypt(hexStr2ByteArr(strIn)));
- } catch (Exception e) {
- return "";
- }
+ public static String encrypt(String content, String key) throws Exception {
+ SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), ALGORITHM);
+ IvParameterSpec ivSpec = new IvParameterSpec(key.getBytes(), 0, offset);
+ Cipher cipher = Cipher.getInstance(CIPHER_KEY);
+ byte[] byteContent = content.getBytes(StandardCharsets.UTF_8);
+ cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
+ byte[] result = cipher.doFinal(byteContent);
+ return Base64.getEncoder().encodeToString(result);
}
- private Key getKey(byte[] arrBTmp) {
- byte[] arrB = new byte[8];
- for (int i = 0; i < arrBTmp.length && i < arrB.length; i++) {
- arrB[i] = arrBTmp[i];
- }
- return new javax.crypto.spec.SecretKeySpec(arrB, "DES");
+ public static String decrypt(String content, String key) throws Exception {
+ SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), ALGORITHM);
+ IvParameterSpec ivSpec = new IvParameterSpec(key.getBytes(), 0, offset);
+ Cipher cipher = Cipher.getInstance(CIPHER_KEY);
Review Comment:
## Use of a broken or risky cryptographic algorithm
Cryptographic algorithm [AES/CBC/PKCS5Padding](1) is weak and should not be used.
[Show more details](https://github.com/apache/incubator-streampark/security/code-scanning/10)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org