From 42925c857c82427b5e44dfb7b586f18e61f7196e Mon Sep 17 00:00:00 2001
From: yukaidi <yukaidi@duck.com>
Date: Fri, 29 May 2026 02:22:52 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8DPlayground=E5=AF=86=E7=A0=81?=
 =?UTF-8?q?=E6=97=B6=E5=BA=8F=E6=94=BB=E5=87=BB=E5=92=8C=E5=A0=86=E6=A0=88?=
 =?UTF-8?q?=E6=B3=84=E9=9C=B2=EF=BC=9A=E4=BD=BF=E7=94=A8MessageDigest.isEq?=
 =?UTF-8?q?ual()=E6=AF=94=E8=BE=83=E5=AF=86=E7=A0=81=EF=BC=8C=E7=A7=BB?=
 =?UTF-8?q?=E9=99=A4=E8=BF=94=E5=9B=9E=E7=BB=99=E5=AE=A2=E6=88=B7=E7=AB=AF?=
 =?UTF-8?q?=E7=9A=84=E5=AE=8C=E6=95=B4=E5=A0=86=E6=A0=88=E4=BF=A1=E6=81=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../cn/qaiu/lz/web/controller/PlaygroundApi.java | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/web-service/src/main/java/cn/qaiu/lz/web/controller/PlaygroundApi.java b/web-service/src/main/java/cn/qaiu/lz/web/controller/PlaygroundApi.java
index 4972d86..dc96e1b 100644
--- a/web-service/src/main/java/cn/qaiu/lz/web/controller/PlaygroundApi.java
+++ b/web-service/src/main/java/cn/qaiu/lz/web/controller/PlaygroundApi.java
@@ -28,6 +28,8 @@ import java.io.BufferedReader;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Matcher;
@@ -129,8 +131,11 @@ public class PlaygroundApi {
                 return promise.future();
             }
             
-            // 验证密码
-            if (config.getPassword().equals(password)) {
+            // 验证密码（使用常量时间比较防止时序攻击）
+            String storedPassword = config.getPassword();
+            if (storedPassword != null && MessageDigest.isEqual(
+                    storedPassword.getBytes(StandardCharsets.UTF_8),
+                    password.getBytes(StandardCharsets.UTF_8))) {
                 String token = config.generateToken();
                 JsonObject tokenData = new JsonObject().put("token", token);
                 promise.complete(JsonResult.data(tokenData).toJsonObject());
@@ -299,7 +304,6 @@ public class PlaygroundApi {
                 }).onFailure(e -> {
                     long executionTime = System.currentTimeMillis() - startTime;
                     String errorMessage = e.getMessage();
-                    String stackTrace = getStackTrace(e);
 
                     log.error("演练场执行失败", e);
 
@@ -317,7 +321,6 @@ public class PlaygroundApi {
                     PlaygroundTestResp response = PlaygroundTestResp.builder()
                             .success(false)
                             .error(errorMessage)
-                            .stackTrace(stackTrace)
                             .executionTime(executionTime)
                             .logs(respLogs)
                             .build();
@@ -328,14 +331,12 @@ public class PlaygroundApi {
             } catch (Exception e) {
                 long executionTime = System.currentTimeMillis() - startTime;
                 String errorMessage = e.getMessage();
-                String stackTrace = getStackTrace(e);
 
                 log.error("演练场初始化失败", e);
 
                 PlaygroundTestResp response = PlaygroundTestResp.builder()
                         .success(false)
                         .error(errorMessage)
-                        .stackTrace(stackTrace)
                         .executionTime(executionTime)
                         .logs(new ArrayList<>())
                         .build();
@@ -346,8 +347,7 @@ public class PlaygroundApi {
             log.error("解析请求参数失败", e);
             promise.complete(JsonObject.mapFrom(PlaygroundTestResp.builder()
                     .success(false)
-                    .error("解析请求参数失败: " + e.getMessage())
-                    .stackTrace(getStackTrace(e))
+                    .error("解析请求参数失败")
                     .build()));
         }