🔒️ more secure token generation

.github/workflows/test.yml

@@ -31,4 +31,4 @@ jobs:
       - name: Run Gosec Security Scanner
         run: |
           go install github.com/securego/gosec/v2/cmd/gosec@latest
-          gosec -exclude=G104,G404 ./...
+          gosec -exclude=G104 ./...

README.md

@@ -4,7 +4,7 @@
   <br>
   <small><i>LOGO designed by <a href="https://xio.ng" target="_blank">熊大</a> .</i></small>
   <br><br>
-<img src="https://img.shields.io/github/workflow/status/naiba/nezha/Dashboard%20image?label=Dash%20v0.14.7&logo=github&style=for-the-badge">&nbsp;<img src="https://img.shields.io/github/v/release/naiba/nezha?color=brightgreen&label=Agent&style=for-the-badge&logo=github">&nbsp;<img src="https://img.shields.io/github/workflow/status/naiba/nezha/Agent%20release?label=Agent%20CI&logo=github&style=for-the-badge">&nbsp;<img src="https://img.shields.io/badge/Installer-v0.11.0-brightgreen?style=for-the-badge&logo=linux">
+<img src="https://img.shields.io/github/workflow/status/naiba/nezha/Dashboard%20image?label=Dash%20v0.14.8&logo=github&style=for-the-badge">&nbsp;<img src="https://img.shields.io/github/v/release/naiba/nezha?color=brightgreen&label=Agent&style=for-the-badge&logo=github">&nbsp;<img src="https://img.shields.io/github/workflow/status/naiba/nezha/Agent%20release?label=Agent%20CI&logo=github&style=for-the-badge">&nbsp;<img src="https://img.shields.io/badge/Installer-v0.11.1-brightgreen?style=for-the-badge&logo=linux">
   <br>
   <br>
   <p>:trollface: <b>Nezha Monitoring: Self-hosted, lightweight server and website monitoring and O&M tool.</b></p>

cmd/dashboard/controller/member_api.go

@@ -100,9 +100,17 @@ func (ma *memberAPI) issueNewToken(c *gin.Context) {
 		})
 		return
 	}
+	secureToken, err := utils.GenerateRandomString(32)
+	if err != nil {
+		c.JSON(http.StatusOK, model.Response{
+			Code:    http.StatusBadRequest,
+			Message: fmt.Sprintf("请求错误：%s", err),
+		})
+		return
+	}
 	token := &model.ApiToken{
 		UserID: u.ID,
-		Token:  utils.MD5(fmt.Sprintf("%d%d%s", time.Now().UnixNano(), u.ID, u.Login)),
+		Token:  secureToken,
 		Note:   tf.Note,
 	}
 	singleton.DB.Create(token)
@@ -310,7 +318,6 @@ type serverForm struct {
 }
 
 func (ma *memberAPI) addOrEditServer(c *gin.Context) {
-	admin := c.MustGet(model.CtxKeyAuthorizedUser).(*model.User)
 	var sf serverForm
 	var s model.Server
 	var isEdit bool
@@ -324,9 +331,10 @@ func (ma *memberAPI) addOrEditServer(c *gin.Context) {
 		s.Note = sf.Note
 		s.HideForGuest = sf.HideForGuest == "on"
 		if s.ID == 0 {
-			s.Secret = utils.MD5(fmt.Sprintf("%s%s%d", time.Now(), sf.Name, admin.ID))
+			s.Secret, err = utils.GenerateRandomString(18)
-			s.Secret = s.Secret[:18]
+			if err == nil {
 				err = singleton.DB.Create(&s).Error
+			}
 		} else {
 			isEdit = true
 			err = singleton.DB.Save(&s).Error

cmd/dashboard/controller/oauth2.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"time"
 
 	"code.gitea.io/sdk/gitea"
 	"github.com/gin-gonic/gin"
@@ -92,7 +93,15 @@ func (oa *oauth2controller) getRedirectURL(c *gin.Context) string {
 }
 
 func (oa *oauth2controller) login(c *gin.Context) {
-	randomString := utils.RandStringBytesMaskImprSrcUnsafe(32)
+	randomString, err := utils.GenerateRandomString(32)
+	if err != nil {
+		mygin.ShowErrorPage(c, mygin.ErrInfo{
+			Code:  http.StatusBadRequest,
+			Title: "Something Wrong",
+			Msg:   err.Error(),
+		}, true)
+		return
+	}
 	state, stateKey := randomString[:16], randomString[16:]
 	singleton.Cache.Set(fmt.Sprintf("%s%s", model.CacheKeyOauth2State, stateKey), state, cache.DefaultExpiration)
 	url := oa.getCommonOauth2Config(c).AuthCodeURL(state, oauth2.AccessTypeOnline)
@@ -195,7 +204,16 @@ func (oa *oauth2controller) callback(c *gin.Context) {
 		}, true)
 		return
 	}
-	user.IssueNewToken()
+	user.Token, err = utils.GenerateRandomString(32)
+	if err != nil {
+		mygin.ShowErrorPage(c, mygin.ErrInfo{
+			Code:  http.StatusBadRequest,
+			Title: "Something wrong",
+			Msg:   err.Error(),
+		}, true)
+		return
+	}
+	user.TokenExpired = time.Now().AddDate(0, 2, 0)
 	singleton.DB.Save(&user)
 	c.SetCookie(singleton.Conf.Site.CookieName, user.Token, 60*60*24, "", "", false, false)
 	c.HTML(http.StatusOK, "dashboard-"+singleton.Conf.Site.DashboardTheme+"/redirect", mygin.CommonEnvironment(c, gin.H{

model/user.go

@@ -1,14 +1,11 @@
 package model
 
 import (
-	"fmt"
 	"time"
 
 	"code.gitea.io/sdk/gitea"
 	"github.com/google/go-github/v47/github"
 	"github.com/xanzy/go-gitlab"
-
-	"github.com/naiba/nezha/pkg/utils"
 )
 
 type User struct {
@@ -72,8 +69,3 @@ func NewUserFromGitHub(gu *github.User) User {
 	u.Bio = gu.GetBio()
 	return u
 }
-
-func (u *User) IssueNewToken() {
-	u.Token = utils.MD5(fmt.Sprintf("%d%d%s", time.Now().UnixNano(), u.ID, u.Login))
-	u.TokenExpired = time.Now().AddDate(0, 2, 0)
-}

pkg/utils/utils.go

@@ -1,53 +1,17 @@
 package utils
 
 import (
-	"crypto/md5" // #nosec
+	"crypto/rand"
-	"encoding/hex"
+	"math/big"
-	"math/rand"
 	"os"
 	"regexp"
 	"strings"
-	"time"
-	"unsafe"
 
 	jsoniter "github.com/json-iterator/go"
 )
 
 var Json = jsoniter.ConfigCompatibleWithStandardLibrary
 
-const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
-const (
-	letterIdxBits = 6                    // 6 bits to represent a letter index
-	letterIdxMask = 1<<letterIdxBits - 1 // All 1-bits, as many as letterIdxBits
-	letterIdxMax  = 63 / letterIdxBits   // # of letter indices fitting in 63 bits
-)
-
-func RandStringBytesMaskImprSrcUnsafe(n int) string {
-	var src = rand.NewSource(time.Now().UnixNano())
-	b := make([]byte, n)
-
-	// A src.Int63() generates 63 random bits, enough for letterIdxMax characters!
-	for i, cache, remain := n-1, src.Int63(), letterIdxMax; i >= 0; {
-		if remain == 0 {
-			cache, remain = src.Int63(), letterIdxMax
-		}
-		if idx := int(cache & letterIdxMask); idx < len(letterBytes) {
-			b[i] = letterBytes[idx]
-			i--
-		}
-		cache >>= letterIdxBits
-		remain--
-	}
-
-	return *(*string)(unsafe.Pointer(&b)) //#nosec
-}
-
-func MD5(plantext string) string {
-	hash := md5.New() // #nosec
-	hash.Write([]byte(plantext))
-	return hex.EncodeToString(hash.Sum(nil))
-}
-
 func IsWindows() bool {
 	return os.PathSeparator == '\\' && os.PathListSeparator == ';'
 }
@@ -98,3 +62,17 @@ func IsFileExists(path string) bool {
 	_, err := os.Stat(path)
 	return err == nil
 }
+
+func GenerateRandomString(n int) (string, error) {
+	const letters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+	lettersLength := big.NewInt(int64(len(letters)))
+	ret := make([]byte, n)
+	for i := 0; i < n; i++ {
+		num, err := rand.Int(rand.Reader, lettersLength)
+		if err != nil {
+			return "", err
+		}
+		ret[i] = letters[num.Int64()]
+	}
+	return string(ret), nil
+}

pkg/utils/utils_test.go

@@ -39,3 +39,14 @@ func TestNotification(t *testing.T) {
 		assert.Equal(t, IPDesensitize(c.input), c.output)
 	}
 }
+
+func TestGenerGenerateRandomString(t *testing.T) {
+	generatedString := make(map[string]bool)
+	for i := 0; i < 100; i++ {
+		str, err := GenerateRandomString(32)
+		assert.Nil(t, err)
+		assert.Equal(t, len(str), 32)
+		assert.False(t, generatedString[str])
+		generatedString[str] = true
+	}
+}

script/install.sh

@@ -11,7 +11,7 @@ NZ_BASE_PATH="/opt/nezha"
 NZ_DASHBOARD_PATH="${NZ_BASE_PATH}/dashboard"
 NZ_AGENT_PATH="${NZ_BASE_PATH}/agent"
 NZ_AGENT_SERVICE="/etc/systemd/system/nezha-agent.service"
-NZ_VERSION="v0.11.0"
+NZ_VERSION="v0.11.1"
 
 red='\033[0;31m'
 green='\033[0;32m'

script/install_en.sh

@@ -11,7 +11,7 @@ NZ_BASE_PATH="/opt/nezha"
 NZ_DASHBOARD_PATH="${NZ_BASE_PATH}/dashboard"
 NZ_AGENT_PATH="${NZ_BASE_PATH}/agent"
 NZ_AGENT_SERVICE="/etc/systemd/system/nezha-agent.service"
-NZ_VERSION="v0.11.0"
+NZ_VERSION="v0.11.1"
 
 red='\033[0;31m'
 green='\033[0;32m'

service/singleton/singleton.go

@@ -12,7 +12,7 @@ import (
 	"github.com/naiba/nezha/pkg/utils"
 )
 
-var Version = "v0.14.7" // ！！记得修改 README 中的 badge 版本！！
+var Version = "v0.14.8" // ！！记得修改 README 中的 badge 版本！！
 
 var (
 	Conf  *model.Config