fix(security): 安全漏洞修复与依赖升级

- 升级 Vert.x 4.5.24 → 4.5.27, postgresql 42.7.3 → 42.7.11, logback 1.5.18 → 1.5.32, axios 1.13.5 → 1.16.1 - 修复 JWT 签名验证和密码比较的时序攻击漏洞 (MessageDigest.isEqual) - 修复 AESUtils 使用不安全 Random 改为 SecureRandom - 修复登录用户枚举和异常信息泄露，统一错误提示 - 修复 RateLimiter count++ 非原子操作 (AtomicInteger) - 修复 JsParserExecutor DCL 模式缺少 volatile - 修复 Token 日志泄露，仅打印前8字符 - 修复 Playground 密码时序攻击和堆栈泄露 - 所有 window.open 添加 noopener,noreferrer - LocalConstant 改用 ConcurrentHashMap 保证线程安全 - Dockerfile 添加非 root 用户运行，secret.yml 加入 .gitignore
2026-06-10 23:47:29 +00:00 · 2026-05-29 14:20:54 +08:00
parent ff400d3be3
commit 17460ff271
22 changed files with 212 additions and 155 deletions
--- a/core/src/main/java/cn/qaiu/vx/core/handlerfactory/RouterHandlerFactory.java
+++ b/core/src/main/java/cn/qaiu/vx/core/handlerfactory/RouterHandlerFactory.java
@@ -127,8 +127,9 @@ public class RouterHandlerFactory implements BaseHttpApi {
        // 错误请求处理
        mainRouter.errorHandler(405, ctx -> doFireJsonResultResponse(ctx, JsonResult
                .error("Method Not Allowed", 405)));
-        mainRouter.errorHandler(404, ctx -> ctx.response().setStatusCode(404).setChunked(true)
-                .end("Internal server error: 404 not found"));
+        mainRouter.errorHandler(404, ctx -> {
+            ctx.response().setStatusCode(404).end("404 not found");
+        });

        return mainRouter;
    }
@@ -179,8 +180,9 @@ public class RouterHandlerFactory implements BaseHttpApi {
                    if (ctx.statusCode() == 503 || ctx.failure() == null) {
                        doFireJsonResultResponse(ctx, JsonResult.error("未知异常, 请联系管理员"), 503);
                    } else {
-                        ctx.failure().printStackTrace();
-                        doFireJsonResultResponse(ctx, JsonResult.error(ctx.failure().getMessage()), 500);
+                        LOGGER.error("路由处理失败", ctx.failure());
+                        String msg = ctx.failure() != null ? ctx.failure().getMessage() : "未知异常";
+                        doFireJsonResultResponse(ctx, JsonResult.error(msg), 500);
                    }
                });
            } else if (method.isAnnotationPresent(SockRouteMapper.class)) {
@@ -198,7 +200,7 @@ public class RouterHandlerFactory implements BaseHttpApi {
                    try {
                        ReflectionUtil.invokeWithArguments(method, instance, sock);
                    } catch (Throwable e) {
-                        e.printStackTrace();
+                        LOGGER.error("WebSocket处理异常", e);
                    }
                });
                if (url.endsWith("*")) {
@@ -322,7 +324,7 @@ public class RouterHandlerFactory implements BaseHttpApi {
                                parameterValueList.put(k, entity);
                            }
                        } catch (ClassNotFoundException e) {
-                            e.printStackTrace();
+                            LOGGER.error("实体类绑定异常: {}", typeName, e);
                        }
                    }
                });
@@ -365,7 +367,7 @@ public class RouterHandlerFactory implements BaseHttpApi {
                    Object entity = ParamUtil.multiMapToEntity(queryParams, aClass);
                    parameterValueList.put(k, entity);
                } catch (Exception e) {
-                    e.printStackTrace();
+                    LOGGER.error("参数绑定异常: {}", v.getRight().getName(), e);
                }
            } else if (parameterValueList.get(k) == null
                    && JsonObject.class.getName().equals(v.getRight().getName())) {
@@ -408,22 +410,19 @@ public class RouterHandlerFactory implements BaseHttpApi {
                            doFireJsonResultResponse(ctx, JsonResult.data(null));
                        }

-                    }).onFailure(e -> doFireJsonResultResponse(ctx, JsonResult.error(e.getMessage()), 500));
+                    }).onFailure(e -> {
+                        LOGGER.error("请求处理失败", e);
+                        String msg = e.getMessage() != null ? e.getMessage() : "服务器内部错误";
+                        doFireJsonResultResponse(ctx, JsonResult.error(msg), 500);
+                    });
                } else {
                    doFireJsonResultResponse(ctx, JsonResult.data(data));
                }
            }
        } catch (Throwable e) {
-            e.printStackTrace();
-            String err = e.getMessage();
-            if (e.getCause() != null) {
-                if (e.getCause() instanceof InvocationTargetException) {
-                    err = ((InvocationTargetException) e.getCause()).getTargetException().getMessage();
-                } else {
-                    err = e.getCause().getMessage();
-                }
-            }
-            doFireJsonResultResponse(ctx, JsonResult.error(err), 500);
+            LOGGER.error("请求处理异常", e);
+            String msg = e.getMessage() != null ? e.getMessage() : "服务器内部错误";
+            doFireJsonResultResponse(ctx, JsonResult.error(msg), 500);
        }
    }

--- a/core/src/main/java/cn/qaiu/vx/core/util/LocalConstant.java
+++ b/core/src/main/java/cn/qaiu/vx/core/util/LocalConstant.java
@@ -1,7 +1,7 @@
 package cn.qaiu.vx.core.util;

-import java.util.HashMap;
 import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;

 /**
 * vertx 上下文外的本地容器 为不在vertx线程的方法传递数据
@@ -10,11 +10,10 @@ import java.util.Map;
 * @author <a href="https://qaiu.top">QAIU</a>
 */
 public class LocalConstant {
-    private static final Map<String, Object> LOCAL_CONST = new HashMap<>();
+    private static final Map<String, Object> LOCAL_CONST = new ConcurrentHashMap<>();

    public static Map<String, Object> put(String k, Object v) {
-        if (LOCAL_CONST.containsKey(k)) return LOCAL_CONST;
-        LOCAL_CONST.put(k, v);
+        LOCAL_CONST.putIfAbsent(k, v);
        return LOCAL_CONST;
    }