fix(bk-auth-verify): add app_code/app_secret length check

TencentBlueKing · wklken · Nov 30, 2023 · Nov 27, 2023 · Nov 27, 2023 · Nov 29, 2023
commit 73e1c8d743c0dc4114a6d9c1a233b0e564a78c8e
diff --git a/src/apisix/plugins/bk-auth-verify/app-account-verifier.lua b/src/apisix/plugins/bk-auth-verify/app-account-verifier.lua
@@ -20,6 +20,7 @@ local app_account_utils = require("apisix.plugins.bk-auth-verify.app-account-uti
 local bk_app_define = require("apisix.plugins.bk-define.app")
 local bk_cache = require("apisix.plugins.bk-cache.init")
 local setmetatable = setmetatable
+local string       = string
 
 local _M = {}
 
@@ -45,6 +46,14 @@ function _M.verify_app(self)
         return bk_app_define.new_anonymous_app("app code cannot be empty")
     end
 
+    -- check the length before call bkauth apis
+    if string.len(self.app_code) > 32 then
+        return bk_app_define.new_anonymous_app("app code cannot be longer than 32 characters")
+    end
+    if string.len(self.app_secret) > 128 then
+        return bk_app_define.new_anonymous_app("app secret cannot be longer than 128 characters")
+    end
+
     if not pl_types.is_empty(self.app_secret) then
         return self:verify_by_app_secret()
     end

diff --git a/src/apisix/tests/bk-auth-verify/test-app-account-verifier.lua b/src/apisix/tests/bk-auth-verify/test-app-account-verifier.lua
@@ -83,6 +83,35 @@ describe(
                     end
                 )
 
+                it(
+                    "app_code length is greather 32", function()
+                        local auth_params = auth_params_mod.new({
+                            bk_app_code = "123456789012345678901234567890123",
+                        })
+                        local verifier = app_account_verifier_mod.new(auth_params)
+
+                        local app = verifier:verify_app()
+                        assert.is_equal(app.app_code, "")
+                        assert.is_false(app.verified)
+                        assert.is_equal(app.valid_error_message, "app code cannot be longer than 32 characters")
+                    end
+                )
+
+                it(
+                    "app_secret length is greather 128", function()
+                        local auth_params = auth_params_mod.new({
+                            bk_app_code = "hello",
+                            bk_app_secret = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+                        })
+                        local verifier = app_account_verifier_mod.new(auth_params)
+
+                        local app = verifier:verify_app()
+                        assert.is_equal(app.app_code, "")
+                        assert.is_false(app.verified)
+                        assert.is_equal(app.valid_error_message, "app secret cannot be longer than 128 characters")
+                    end
+                )
+
                 it(
                     "app secret is not empty", function()
                         auth_params = auth_params_mod.new(