refactor: 优化金属头像生成参数处理

adlered · adlered · commit cdcf5a31da6d · 2025-05-13T21:39:52.000+08:00
- 重构参数处理逻辑，提高代码可读性和维护性
- 增加参数安全过滤，防止潜在的注入攻击
- 优化参数拼接，提高效率
diff --git a/src/main/java/org/b3log/symphony/processor/ChatroomProcessor.java b/src/main/java/org/b3log/symphony/processor/ChatroomProcessor.java
@@ -228,21 +228,14 @@ protected boolean removeEldestEntry(Map.Entry eldest) {
         }
     });
     public void genMetal(final RequestContext context) {
-        Set<String> params = context.getRequest().getParameterNames();
-        String paramString = "";
-        List<String> paramList = new ArrayList<>();
-        paramList.add("ver");
-        paramList.add("scale");
-        paramList.add("txt");
-        paramList.add("url");
-        paramList.add("backcolor");
-        paramList.add("fontcolor");
-        for (String param : params) {
-            if (paramList.contains(param)) {
-                paramString += param + "=" + context.getRequest().getParameter(param) + "&";
-            }
-        }
-        paramString = "?" + paramString.substring(0, paramString.length() - 1);
+        String ver = safeParam(context.param("ver"), "ver");
+        String scale = safeParam(context.param("scale"), "scale");
+        String txt = safeParam(context.param("txt"), "txt");
+        String url = safeParam(context.param("url"), "url");
+        String backcolor = safeParam(context.param("backcolor"), "backcolor");
+        String fontcolor = safeParam(context.param("fontcolor"), "fontcolor");
+        String paramString = "?ver=" + ver + "&scale=" + scale + "&txt=" + txt + "&url=" + url + "&backcolor=" + backcolor + "&fontcolor=" + fontcolor;
+
         String body = "";
         if (!metalCache.containsKey(paramString)) {
             String genUrl = Symphonys.get("gen.metal.url") + paramString;
@@ -263,6 +256,32 @@ public void genMetal(final RequestContext context) {
         context.getResponse().sendBytes(body.getBytes());
     }
 
+    public static String safeParam(String value, String type) {
+        if (value == null) return "";
+
+        if ("ver".equals(type) || "scale".equals(type)) {
+            return value.replaceAll("[^\\d.]", "")
+                    .replaceAll("\\.{2,}", ".")
+                    .replaceAll("^[^\\d]+", "")
+                    .replaceAll("(\\..*)\\.", "$1");
+        } else if ("txt".equals(type)) {
+            return value.replaceAll("[^\\u4e00-\\u9fa5a-zA-Z0-9\\s，。！？；：“”‘’（）【】《》…—~-]", "");
+        } else if ("url".equals(type)) {
+            String filtered = value.replaceAll("[^a-zA-Z0-9\\-._~:/?#@!$&'()*+,;=%]", "");
+            return filtered.startsWith("https://file.fishpi.cn") ? filtered : "";
+        } else if ("fontcolor".equals(type)) {
+            return value.replaceAll("[^0-9a-fA-F]", "")
+                    .substring(0, Math.min(6, value.length()))
+                    .toLowerCase();
+        } else if ("backcolor".equals(type)) {
+            return value.replaceAll("[^0-9a-fA-F,]", "")
+                    .substring(0, Math.min(13, value.length()))
+                    .toLowerCase();
+        }
+        return value;
+    }
+
+
     public void nodePush(final RequestContext context) {
         final JSONObject requestJSONObject = context.requestJSON();
         String adminKey = requestJSONObject.optString("adminKey");
