From 164b2c98d1eff0937755a047c06f9bf58b0ca433 Mon Sep 17 00:00:00 2001
From: alick-liming <whandlm@163.com>
Date: Fri, 13 Dec 2024 12:22:27 +0800
Subject: [PATCH] fix panic

---
 api_event_callback.go | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/api_event_callback.go b/api_event_callback.go
index ed3a6270..80f53db6 100644
--- a/api_event_callback.go
+++ b/api_event_callback.go
@@ -319,5 +319,26 @@ func decryptEncryptString(encryptKey string, cryptoText string) (string, error)
 	stream := cipher.NewCBCDecrypter(block, iv)
 	stream.CryptBlocks(ciphertext, ciphertext)
 
-	return string(ciphertext[:len(ciphertext)-int(ciphertext[len(ciphertext)-1])]), nil
+	// 安全地移除 PKCS7 填充
+	if len(ciphertext) == 0 {
+		return "", errors.New("invalid ciphertext: empty after decryption")
+	}
+
+	// 获取填充长度
+	paddingLength := int(ciphertext[len(ciphertext)-1])
+
+	// 额外的安全检查
+	if paddingLength > len(ciphertext) || paddingLength == 0 {
+		return "", errors.New("invalid padding")
+	}
+
+	// 验证填充是否正确
+	for i := 1; i <= paddingLength; i++ {
+		if ciphertext[len(ciphertext)-i] != byte(paddingLength) {
+			return "", errors.New("invalid PKCS7 padding")
+		}
+	}
+
+	// 移除填充并返回
+	return string(ciphertext[:len(ciphertext)-paddingLength]), nil
 }