Skip to content

[Task] Remove appSecret from sandbox-beforesign response header #6402

Description

@Aias00

Description

SandboxServiceImpl.requestProxyGateway() builds a signing pre-image by appending appSecret to the path/timestamp/version string, then writes the full pre-image (including the raw appSecret) into the sandbox-beforesign HTTP response header. Since the format is deterministic (pathtimestampversion1.0.0), any recipient of the response can extract the appSecret by splitting on the literal version1.0.0.
Affected File:

shenyu-admin/src/main/java/org/apache/shenyu/admin/service/impl/SandboxServiceImpl.java
Proposed Change:

Strip the appSecret suffix from the value written to sandbox-beforesign. Only include the path, timestamp, and version components for debugging purposes:
java// Before: response.addHeader("sandbox-beforesign", encode(signContent)); // includes appSecret
// After:
String debugPreimage = "path" + path + "timestamp" + timestamp + "version" + VERSION;
response.addHeader("sandbox-beforesign", UriUtils.encode(debugPreimage, StandardCharsets.UTF_8));
Acceptance Criteria:

The sandbox-beforesign response header no longer contains appSecret.
The sandbox-sign header (the final HMAC digest) is unaffected.
The debugging intent of the header (showing what was signed, minus the secret) is preserved.

Task List

No response

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions