Skip to content

Commit cebc127

Browse files
aksOpsclaude
andcommitted
fix(security): use UTF-8 charset in RateLimitFilter.sha256Short (SpotBugs DM_DEFAULT_ENCODING)
SpotBugs flagged String.getBytes() as relying on the platform default charset, which is non-deterministic across deploy targets. Switch to StandardCharsets.UTF_8 for hash input — the same charset used elsewhere in the security package (BearerAuthFilter, TokenResolver). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 4a09fad commit cebc127

1 file changed

Lines changed: 3 additions & 1 deletion

File tree

src/main/java/io/github/randomcodespace/iq/config/security/RateLimitFilter.java

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
import org.springframework.web.filter.OncePerRequestFilter;
1717

1818
import java.io.IOException;
19+
import java.nio.charset.StandardCharsets;
1920
import java.security.MessageDigest;
2021
import java.security.NoSuchAlgorithmException;
2122
import java.time.Duration;
@@ -155,7 +156,8 @@ static String clientKey(HttpServletRequest request) {
155156
/** First 16 hex chars of SHA-256(input) — enough collision resistance for keying. */
156157
private static String sha256Short(String input) {
157158
try {
158-
byte[] hash = MessageDigest.getInstance("SHA-256").digest(input.getBytes());
159+
byte[] hash = MessageDigest.getInstance("SHA-256")
160+
.digest(input.getBytes(StandardCharsets.UTF_8));
159161
return HexFormat.of().formatHex(hash, 0, 8);
160162
} catch (NoSuchAlgorithmException e) {
161163
throw new IllegalStateException("SHA-256 unavailable", e);

0 commit comments

Comments
 (0)