From 9a3ea050230f3cd2dabd57c1c8c73b6e26825eba Mon Sep 17 00:00:00 2001
From: yukaidi <yukaidi@duck.com>
Date: Fri, 29 May 2026 01:39:31 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20HttpProxyVerticle=E4=BB=A3=E7=90=86?=
 =?UTF-8?q?=E8=AE=A4=E8=AF=81=E7=BB=95=E8=BF=87=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SEC-01: 修复三个安全问题:
1. split.length<=1时直接放行请求，现在返回403
2. Base64解码无异常处理，现在捕获IllegalArgumentException返回403
3. 日志中明文记录密码，现在只记录用户名
---
 .../vx/core/verticle/HttpProxyVerticle.java   | 29 ++++++++++++-------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/core/src/main/java/cn/qaiu/vx/core/verticle/HttpProxyVerticle.java b/core/src/main/java/cn/qaiu/vx/core/verticle/HttpProxyVerticle.java
index 64fd990..aa713ea 100644
--- a/core/src/main/java/cn/qaiu/vx/core/verticle/HttpProxyVerticle.java
+++ b/core/src/main/java/cn/qaiu/vx/core/verticle/HttpProxyVerticle.java
@@ -129,16 +129,25 @@ public class HttpProxyVerticle extends AbstractVerticle {
                 clientRequest.response().setStatusCode(403).end();
                 return;
             }
-            String[] split = new String(Base64.getDecoder().decode(s.replace("Basic ", ""))).split(":");
-            if (split.length > 1) {
-                // TODO
-                String username = proxyServerConf.getString("username");
-                String password = proxyServerConf.getString("password");
-                if (!split[0].equals(username) || !split[1].equals(password)) {
-                    LOGGER.info("-----auth failed------\nusername: {}\npassword: {}", username, password);
-                    clientRequest.response().setStatusCode(403).end();
-                    return;
-                }
+            String[] split;
+            try {
+                split = new String(Base64.getDecoder().decode(s.replace("Basic ", ""))).split(":");
+            } catch (IllegalArgumentException e) {
+                LOGGER.warn("Proxy-Authorization header is not valid Base64");
+                clientRequest.response().setStatusCode(403).end();
+                return;
+            }
+            if (split.length <= 1) {
+                LOGGER.warn("Proxy-Authorization header format invalid: missing username:password separator");
+                clientRequest.response().setStatusCode(403).end();
+                return;
+            }
+            String username = proxyServerConf.getString("username");
+            String password = proxyServerConf.getString("password");
+            if (!split[0].equals(username) || !split[1].equals(password)) {
+                LOGGER.info("-----auth failed------\nusername: {}", split[0]);
+                clientRequest.response().setStatusCode(403).end();
+                return;
             }
         }