WxJava icon indicating copy to clipboard operation
WxJava copied to clipboard

Published 20 hours ago verified publisher icon Wechat-Group

Fix NullPointerException in WxOpenXmlMessage.fromEncryptedXml method

Open Copilot opened this issue 2 months ago • 0 comments

The WxOpenXmlMessage.fromEncryptedXml() method was vulnerable to NullPointerException when processing encrypted WeChat Open Platform messages, particularly affecting receive_ticket functionality that worked in 4.7.6.B but failed in 4.7.7.B.

Root Cause Analysis

The issue occurred in two scenarios:

  1. In fromXml() method: If the decrypted XML content was null, calling xml.replace("</PicList><PicList>", "") would throw NullPointerException
  2. In fromEncryptedXml() method: No validation was performed on the decrypted content before passing it to fromXml()

Changes Made

Added null safety to fromXml() method:

public static WxOpenXmlMessage fromXml(String xml) {
  //修改微信变态的消息内容格式,方便解析
  if (xml != null) {
    xml = xml.replace("</PicList><PicList>", "");
  }
  return XStreamTransformer.fromXml(WxOpenXmlMessage.class, xml);
}

Added validation and error handling to fromEncryptedXml():

public static WxOpenXmlMessage fromEncryptedXml(String encryptedXml, WxOpenConfigStorage wxOpenConfigStorage,
                                                String timestamp, String nonce, String msgSignature) {
  WxOpenCryptUtil cryptUtil = new WxOpenCryptUtil(wxOpenConfigStorage);
  String plainText = cryptUtil.decryptXml(msgSignature, timestamp, nonce, encryptedXml);
  log.debug("解密后的原始xml消息内容:{}", plainText);
  
  if (plainText == null || plainText.trim().isEmpty()) {
    throw new WxRuntimeException("解密后的xml消息内容为空,请检查加密参数是否正确");
  }
  
  WxOpenXmlMessage wxOpenXmlMessage = fromXml(plainText);
  wxOpenXmlMessage.setContext(plainText);
  return wxOpenXmlMessage;
}

Benefits

  • Prevents crashes: Eliminates NullPointerException when processing encrypted messages
  • Better debugging: Provides clear error messages when decryption fails, helping developers identify configuration issues
  • Backward compatible: Existing working code continues to function normally
  • Defensive programming: Follows best practices for null safety

The fix is minimal and surgical, addressing only the error-prone code paths while maintaining all existing functionality.

Fixes #3700.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot avatar Sep 22 '25 16:09 Copilot