security: use crypto/rand for secret keys

2026-03-13 09:24:07 +08:00 · 2026-02-05 19:19:39 +08:00
parent 9dcc82ead8
commit 57239e81af
9 changed files with 23 additions and 9 deletions
--- a/application/constants/constants.go
+++ b/application/constants/constants.go
@@ -3,7 +3,7 @@ package constants
 // These values will be injected at build time, DO NOT EDIT.

 // BackendVersion 当前后端版本号
-var BackendVersion = "4.12.0"
+var BackendVersion = "4.13.0"

 // IsPro 是否为Pro版本
 var IsPro = "false"
--- a/inventory/migration.go
+++ b/inventory/migration.go
@@ -15,6 +15,7 @@ import (
 	"github.com/cloudreve/Cloudreve/v4/ent/oauthclient"
 	"github.com/cloudreve/Cloudreve/v4/ent/setting"
 	"github.com/cloudreve/Cloudreve/v4/ent/storagepolicy"
+	"github.com/cloudreve/Cloudreve/v4/inventory/debug"
 	"github.com/cloudreve/Cloudreve/v4/inventory/types"
 	"github.com/cloudreve/Cloudreve/v4/pkg/boolset"
 	"github.com/cloudreve/Cloudreve/v4/pkg/cache"
@@ -563,6 +564,19 @@ var patches = []Patch{
 				return fmt.Errorf("failed to update thumb_entity_suffix setting: %w", err)
 			}

+			return nil
+		},
+	},
+	{
+		Name:       "reset_secret_key",
+		EndVersion: "4.13.0",
+		Func: func(l logging.Logger, client *ent.Client, ctx context.Context) error {
+			newSecretKey := util.RandStringRunesCrypto(256)
+			ctx = context.WithValue(ctx, debug.SkipDbLogging{}, true)
+			if err := client.Setting.Update().Where(setting.Name("secret_key")).SetValue(newSecretKey).Exec(ctx); err != nil {
+				return fmt.Errorf("failed to update secret_key setting: %w", err)
+			}
+
 			return nil
 		},
 	},
--- a/inventory/oauth_client.go
+++ b/inventory/oauth_client.go
@@ -201,7 +201,7 @@ func (c *oauthClientClient) Create(ctx context.Context, client *ent.OAuthClient)
 		client.GUID = uuid.Must(uuid.NewV4()).String()
 	}
 	if client.Secret == "" {
-		client.Secret = util.RandStringRunes(32)
+		client.Secret = util.RandStringRunesCrypto(32)
 	}

 	return c.client.OAuthClient.Create().
--- a/inventory/setting.go
+++ b/inventory/setting.go
@@ -523,7 +523,7 @@ var DefaultSettings = map[string]string{
 	"defaultTheme":                               `#1976d2`,
 	"theme_options":                              `{"#1976d2":{"light":{"palette":{"primary":{"main":"#1976d2","light":"#42a5f5","dark":"#1565c0"},"secondary":{"main":"#9c27b0","light":"#ba68c8","dark":"#7b1fa2"}}},"dark":{"palette":{"primary":{"main":"#90caf9","light":"#e3f2fd","dark":"#42a5f5"},"secondary":{"main":"#ce93d8","light":"#f3e5f5","dark":"#ab47bc"}}}},"#3f51b5":{"light":{"palette":{"primary":{"main":"#3f51b5"},"secondary":{"main":"#f50057"}}},"dark":{"palette":{"primary":{"main":"#9fa8da"},"secondary":{"main":"#ff4081"}}}}}`,
 	"max_parallel_transfer":                      `4`,
-	"secret_key":                                 util.RandStringRunes(256),
+	"secret_key":                                 util.RandStringRunesCrypto(256),
 	"temp_path":                                  "temp",
 	"avatar_path":                                "avatar",
 	"avatar_size":                                "4194304",
@@ -588,7 +588,7 @@ var DefaultSettings = map[string]string{
 	"show_app_promotion":                         "1",
 	"public_resource_maxage":                     "86400",
 	"viewer_session_timeout":                     "36000",
-	"hash_id_salt":                               util.RandStringRunes(64),
+	"hash_id_salt":                               util.RandStringRunesCrypto(64),
 	"access_token_ttl":                           "3600",
 	"refresh_token_ttl":                          "1209600", // 2 weeks
 	"use_cursor_pagination":                      "1",
--- a/pkg/conf/conf.go
+++ b/pkg/conf/conf.go
@@ -33,7 +33,7 @@ func NewIniConfigProvider(configPath string, l logging.Logger) (ConfigProvider,
 		l.Info("Config file %q not found, creating a new one.", configPath)
 		// 创建初始配置文件
 		confContent := util.Replace(map[string]string{
-			"{SessionSecret}": util.RandStringRunes(64),
+			"{SessionSecret}": util.RandStringRunesCrypto(64),
 		}, defaultConf)
 		f, err := util.CreatNestedFile(configPath)
 		if err != nil {
--- a/pkg/filemanager/fs/dbfs/upload.go
+++ b/pkg/filemanager/fs/dbfs/upload.go
@@ -247,7 +247,7 @@ func (f *DBFS) PrepareUpload(ctx context.Context, req *fs.UploadRequest, opts ..
 		EntityID:       entityId,
 		UID:            f.user.ID,
 		Policy:         policy,
-		CallbackSecret: util.RandStringRunes(32),
+		CallbackSecret: util.RandStringRunesCrypto(32),
 		LockToken:      lockToken, // Prevent lock being released.
 	}

--- a/pkg/filemanager/manager/viewer.go
+++ b/pkg/filemanager/manager/viewer.go
@@ -60,7 +60,7 @@ func (m *manager) CreateViewerSession(ctx context.Context, uri *fs.URI, version
 	}

 	sessionID := uuid.Must(uuid.NewV4()).String()
-	token := util.RandStringRunes(128)
+	token := util.RandStringRunesCrypto(128)
 	sessionCache := &ViewerSessionCache{
 		ID:       sessionID,
 		Uri:      file.Uri(false).String(),
--- a/service/admin/site.go
+++ b/service/admin/site.go
@@ -343,7 +343,7 @@ func siteUrlPreProcessor(ctx context.Context, settings map[string]string) error
 }

 func secretKeyPreProcessor(ctx context.Context, settings map[string]string) error {
-	settings["secret_key"] = util.RandStringRunes(256)
+	settings["secret_key"] = util.RandStringRunesCrypto(256)
 	return nil
 }

--- a/service/user/login.go
+++ b/service/user/login.go
@@ -96,7 +96,7 @@ func (service *UserResetEmailService) Reset(c *gin.Context) error {
 		return serializer.NewError(serializer.CodeUserNotActivated, "This user is not activated", nil)
 	}

-	secret := util.RandStringRunes(32)
+	secret := util.RandStringRunesCrypto(32)
 	if err := dep.KV().Set(fmt.Sprintf("%s%d", userResetPrefix, u.ID), secret, 3600); err != nil {
 		return serializer.NewError(serializer.CodeInternalSetting, "Failed to create reset session", err)
 	}