fix a secure issue

Signed-off-by: yxxhero <aiopsclub@163.com>
dragonflyoss · Aug 31, 2021 · 41af67f · 41af67f
1 parent 8ddefea
commit 41af67f
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/manager/oauth/oauth.go b/manager/oauth/oauth.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	"d7y.io/dragonfly/v2/manager/model"
+	"d7y.io/dragonfly/v2/pkg/util/stringutils"
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/oauth2"
 	"gorm.io/gorm"
@@ -68,7 +69,7 @@ func (oa *baseOauth2) GetRediectURL(db *gorm.DB) (string, error) {
 }
 
 func (oa *baseOauth2) AuthCodeURL() string {
-	return oa.Config.AuthCodeURL("state")
+	return oa.Config.AuthCodeURL(stringutils.RandString(5))
 }
 
 func (oa *baseOauth2) GetOauthUserInfo(token string) (*oauth2User, error) {

diff --git a/pkg/util/stringutils/string_utils.go b/pkg/util/stringutils/string_utils.go
@@ -18,7 +18,9 @@
 package stringutils
 
 import (
+	"math/rand"
 	"strings"
+	"time"
 	"unicode"
 )
 
@@ -65,3 +67,13 @@ func Contains(slice []string, ele string) bool {
 
 	return false
 }
+
+func RandString(len int) string {
+	r := rand.New(rand.NewSource(time.Now().Unix()))
+	bytes := make([]byte, len)
+	for i := 0; i < len; i++ {
+		b := r.Intn(26) + 65
+		bytes[i] = byte(b)
+	}
+	return string(bytes)
+}