Description
SandboxServiceImpl.requestProxyGateway() builds a signing pre-image by appending appSecret to the path/timestamp/version string, then writes the full pre-image (including the raw appSecret) into the sandbox-beforesign HTTP response header. Since the format is deterministic (pathtimestampversion1.0.0), any recipient of the response can extract the appSecret by splitting on the literal version1.0.0.
Affected File:
shenyu-admin/src/main/java/org/apache/shenyu/admin/service/impl/SandboxServiceImpl.java
Proposed Change:
Strip the appSecret suffix from the value written to sandbox-beforesign. Only include the path, timestamp, and version components for debugging purposes:
java// Before: response.addHeader("sandbox-beforesign", encode(signContent)); // includes appSecret
// After:
String debugPreimage = "path" + path + "timestamp" + timestamp + "version" + VERSION;
response.addHeader("sandbox-beforesign", UriUtils.encode(debugPreimage, StandardCharsets.UTF_8));
Acceptance Criteria:
The sandbox-beforesign response header no longer contains appSecret.
The sandbox-sign header (the final HMAC digest) is unaffected.
The debugging intent of the header (showing what was signed, minus the secret) is preserved.
Task List
No response
Description
SandboxServiceImpl.requestProxyGateway() builds a signing pre-image by appending appSecret to the path/timestamp/version string, then writes the full pre-image (including the raw appSecret) into the sandbox-beforesign HTTP response header. Since the format is deterministic (pathtimestampversion1.0.0), any recipient of the response can extract the appSecret by splitting on the literal version1.0.0.
Affected File:
shenyu-admin/src/main/java/org/apache/shenyu/admin/service/impl/SandboxServiceImpl.java
Proposed Change:
Strip the appSecret suffix from the value written to sandbox-beforesign. Only include the path, timestamp, and version components for debugging purposes:
java// Before: response.addHeader("sandbox-beforesign", encode(signContent)); // includes appSecret
// After:
String debugPreimage = "path" + path + "timestamp" + timestamp + "version" + VERSION;
response.addHeader("sandbox-beforesign", UriUtils.encode(debugPreimage, StandardCharsets.UTF_8));
Acceptance Criteria:
The sandbox-beforesign response header no longer contains appSecret.
The sandbox-sign header (the final HMAC digest) is unaffected.
The debugging intent of the header (showing what was signed, minus the secret) is preserved.
Task List
No response