fix: remove CVE-2023-46809 revert config

use RSA_PKCS1_OAEP_PADDING instead of RSA_PKCS1_PADDING

revert #650

run test on Node.js 22

.github/workflows/nodejs.yml

@@ -32,7 +32,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [18, 20, 21]
+        node-version: [18, 20, 22]
         os: [ubuntu-latest]
 
     steps:
@@ -83,7 +83,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [16, 18, 20]
+        node-version: [18, 20, 22]
         os: [ubuntu-latest]
 
     steps:

.github/workflows/release.yml

@@ -10,5 +10,3 @@ jobs:
     secrets:
       NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
-    with:
-      checkTest: false

app/common/CryptoUtil.ts

@@ -20,14 +20,15 @@ export function genRSAKeys(): { publicKey: string, privateKey: string } {
 export function encryptRSA(publicKey: string, data: string): string {
   return publicEncrypt({
     key: publicKey,
-    padding: constants.RSA_PKCS1_PADDING,
+    // https://zhuanlan.zhihu.com/p/356604821
+    padding: constants.RSA_PKCS1_OAEP_PADDING,
   }, Buffer.from(data, 'utf8')).toString('base64');
 }
 
 // decrypt rsa private key
 export function decryptRSA(privateKey: string, data: string) {
   return privateDecrypt({
     key: privateKey,
-    padding: constants.RSA_PKCS1_PADDING,
+    padding: constants.RSA_PKCS1_OAEP_PADDING,
   }, Buffer.from(data, 'base64')).toString('utf8');
 }

package.json

@@ -60,9 +60,6 @@
     "url": "[email protected]:cnpm/cnpmcore.git"
   },
   "egg": {
-    "revert": [
-      "CVE-2023-46809"
-    ],
     "typescript": true
   },
   "keywords": [

test/port/webauth/webauthController.test.ts

@@ -122,7 +122,6 @@ describe('test/port/webauth/webauthController.test.ts', () => {
       });
 
       it('should login success', async () => {
-
         const password = encryptRSA(rsaKeys.publicKey, 'flymetothemoon');
         const res = await app.httpRequest()
           .post(`/-/v1/login/request/session/${sessionId}`)