fix: 处理时序攻击漏洞 (#4373)

8 months ago · 0a7f1eb286
5 changed files with 20 additions and 5 deletions
--- a/backend/app/service/auth.go
+++ b/backend/app/service/auth.go
@ -1,6 +1,7 @@
 package service

 import (
+	"crypto/hmac"
 	"strconv"

 	"github.com/1Panel-dev/1Panel/backend/app/dto"
@ -42,7 +43,7 @@ func (u *AuthService) Login(c *gin.Context, info dto.Login, entrance string) (*d
 	if err != nil {
 		return nil, constant.ErrAuth
 	}
-	if info.Password != pass || nameSetting.Value != info.Name {
+	if !hmac.Equal([]byte(info.Password), []byte(pass)) || nameSetting.Value != info.Name {
 		return nil, constant.ErrAuth
 	}
 	entranceSetting, err := settingRepo.Get(settingRepo.WithByKey("SecurityEntrance"))
@ -78,7 +79,7 @@ func (u *AuthService) MFALogin(c *gin.Context, info dto.MFALogin, entrance strin
 	if err != nil {
 		return nil, err
 	}
-	if info.Password != pass || nameSetting.Value != info.Name {
+	if !hmac.Equal([]byte(info.Password), []byte(pass)) || nameSetting.Value != info.Name {
 		return nil, constant.ErrAuth
 	}
 	entranceSetting, err := settingRepo.Get(settingRepo.WithByKey("SecurityEntrance"))
@ -168,7 +169,7 @@ func (u *AuthService) VerifyCode(code string) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	return setting.Value == code, nil
+	return hmac.Equal([]byte(setting.Value), []byte(code)), nil
 }

 func (u *AuthService) CheckIsSafety(code string) (string, error) {
--- a/backend/i18n/lang/en.yaml
+++ b/backend/i18n/lang/en.yaml
@ -172,6 +172,9 @@ ErrScope: "Modification of this configuration is not supported"
 ErrStateChange: "State modification failed"
 ErrRuleExist: "Rule is Exist"
 ErrRuleNotExist: "Rule is not Exist"
+ErrParseIP: "IP format error"
+ErrDefaultIP: "default is a reserved name, please change it to another name"
+ErrGroupInUse: "The IP group is used by the black/white list and cannot be deleted"

 #license
 ErrLicense: "License format error, {{ .err }}, please re-import!"
--- a/backend/i18n/lang/zh-Hant.yaml
+++ b/backend/i18n/lang/zh-Hant.yaml
@ -173,6 +173,9 @@ ErrScope: "不支援修改此配置"
 ErrStateChange: "狀態修改失敗"
 ErrRuleExist: "規則名稱已存在"
 ErrRuleNotExist: "規則不存在"
+ErrParseIP: "IP 格式錯誤"
+ErrDefaultIP: "default 為保留名稱，請更換其他名稱"
+ErrGroupInUse: "IP 群組被黑/白名單使用，無法刪除"

 #license
 ErrLicense: "License 格式錯誤，{{ .err }}，請重新匯入！"
--- a/backend/i18n/lang/zh.yaml
+++ b/backend/i18n/lang/zh.yaml
@ -172,6 +172,9 @@ ErrScope: "不支持修改此配置"
 ErrStateChange: "状态修改失败"
 ErrRuleExist: "规则名称已存在"
 ErrRuleNotExist: "规则不存在"
+ErrParseIP: "IP 格式错误"
+ErrDefaultIP: "default 为保留名称，请更换其他名称"
+ErrGroupInUse: "IP 组被黑/白名单使用，无法删除"

 #license
 ErrLicense: "License 格式错误，{{ .err }}，请重新导入！"
--- a/frontend/src/components/config-card/index.vue
+++ b/frontend/src/components/config-card/index.vue
@ -9,7 +9,9 @@
            <span>
                {{ header }}
            </span>
-            <slot name="header-r" />
+            <div class="header-r">
+                <slot name="header-r" />
+            </div>
        </div>

        <el-text type="info">{{ description }}</el-text>
@ -44,12 +46,15 @@ defineProps({
    .config-header {
        margin-bottom: 18px;
        display: flex;
-        justify-content: space-between;
+        justify-content: space-start;
        align-items: center;
        span {
            font-weight: normal;
            font-size: 18px;
        }
+        .header-r {
+            margin-left: 20px;
+        }
    }

    .config-content {