From bd0f33bb7cbcca5eec92325c350bc7fbc366b609 Mon Sep 17 00:00:00 2001
From: Administrator <15274802129@163.com>
Date: Tue, 23 Jun 2026 21:04:10 +0800
Subject: [PATCH] refactor(pay): 优化LWPAY签名逻辑,使用字段白名单确保安全
---
src/main/java/cc/mrbird/febs/pay/service/LwPayService.java | 22 +++++++++++++++++++---
1 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/src/main/java/cc/mrbird/febs/pay/service/LwPayService.java b/src/main/java/cc/mrbird/febs/pay/service/LwPayService.java
index cf85b35..4930908 100644
--- a/src/main/java/cc/mrbird/febs/pay/service/LwPayService.java
+++ b/src/main/java/cc/mrbird/febs/pay/service/LwPayService.java
@@ -46,6 +46,15 @@
/** LWPAY API 基础地址 */
private static final String LWPAY_BASE_URL = "https://lwpay.live";
+ /**
+ * 参与签名的字段白名单
+ * 签名只包含这 7 个业务必传字段,pay_productname / pay_attach / pay_md5sign 不参与签名
+ */
+ private static final String[] SIGN_FIELD_KEYS = {
+ "pay_memberid", "pay_orderid", "pay_applydate",
+ "pay_bankcode", "pay_notifyurl", "pay_callbackurl", "pay_amount"
+ };
+
// ==================== 代收接口 ====================
/**
@@ -78,8 +87,15 @@
params.put("pay_attach", "network:" + network);
}
- // 生成签名
- String sign = generateSign(params, secretKey);
+ // 签名:仅使用白名单中的 7 个业务必传字段
+ TreeMap<String, String> signParams = new TreeMap<>();
+ for (String key : SIGN_FIELD_KEYS) {
+ String val = params.get(key);
+ if (StrUtil.isNotBlank(val)) {
+ signParams.put(key, val);
+ }
+ }
+ String sign = generateSign(signParams, secretKey);
params.put("pay_md5sign", sign);
log.info("LWPAY 代收请求: memberId={}, orderNo={}, amount={}, bankCode={}",
@@ -186,7 +202,7 @@
*/
public String generateSign(TreeMap<String, String> params, String secretKey) {
String signStr = buildSignString(params) + "&key=" + secretKey;
- log.debug("LWPAY 待签名字符串: {}", signStr);
+ log.info("LWPAY 待签名字符串: {}", signStr);
return SecureUtil.md5(signStr).toUpperCase();
}
--
Gitblit v1.9.1