修复代码审查问题：hexToBytes 增加输入验证，改进测试代码质量

Copilot · binarywang · web-flow · commit ee161b56f169 · 2026-04-22T13:30:17.000Z
Agent-Logs-Url: https://github.com/binarywang/WxJava/sessions/f3aba758-8b4a-479f-96bd-88ce00a9c176 Co-authored-by: binarywang <1343140+binarywang@users.noreply.github.com>
diff --git a/weixin-java-miniapp/src/main/java/cn/binarywang/wx/miniapp/util/crypt/WxMaCryptUtils.java b/weixin-java-miniapp/src/main/java/cn/binarywang/wx/miniapp/util/crypt/WxMaCryptUtils.java
@@ -145,13 +145,24 @@ public static String encryptWithEncryptKey(String encryptKey, String hexIv, Stri
 
   /**
    * 将 Hex 字符串转换为字节数组.
+   *
+   * @param hex Hex 字符串（长度必须为偶数，只包含 0-9 和 a-f/A-F 字符）
+   * @return 字节数组
+   * @throws IllegalArgumentException 如果输入不是合法的 Hex 字符串
    */
   private static byte[] hexToBytes(String hex) {
+    if (hex == null || hex.length() % 2 != 0) {
+      throw new IllegalArgumentException("无效的十六进制字符串格式：长度必须为偶数");
+    }
     int len = hex.length();
     byte[] data = new byte[len / 2];
     for (int i = 0; i < len; i += 2) {
-      data[i / 2] = (byte) ((Character.digit(hex.charAt(i), 16) << 4)
-        + Character.digit(hex.charAt(i + 1), 16));
+      int high = Character.digit(hex.charAt(i), 16);
+      int low = Character.digit(hex.charAt(i + 1), 16);
+      if (high == -1 || low == -1) {
+        throw new IllegalArgumentException("无效的十六进制字符串格式：包含非法字符 '" + hex.charAt(high == -1 ? i : i + 1) + "'");
+      }
+      data[i / 2] = (byte) ((high << 4) + low);
     }
     return data;
   }
diff --git a/weixin-java-miniapp/src/test/java/cn/binarywang/wx/miniapp/util/crypt/WxMaCryptUtilsTest.java b/weixin-java-miniapp/src/test/java/cn/binarywang/wx/miniapp/util/crypt/WxMaCryptUtilsTest.java
@@ -14,6 +14,10 @@
  * @author <a href="https://github.com/binarywang">Binary Wang</a>
  */
 public class WxMaCryptUtilsTest {
+  // 模拟来自 getUserEncryptKey 接口返回的 encrypt_key（Base64）和 iv（Hex，32位即16字节）
+  private static final String ENCRYPT_KEY = "VI6BpyrK9XH4i4AIGe86tg==";
+  private static final String HEX_IV = "6003f73ec441c3866003f73ec441c386";
+
   @Test
   public void testDecrypt() {
     String sessionKey = "7MG7jbTToVVRWRXVA885rg==";
@@ -39,30 +43,24 @@ public void testDecryptAnotherWay() {
    */
   @Test
   public void testEncryptAndDecryptWithEncryptKey() {
-    // 模拟来自 getUserEncryptKey 接口的 encrypt_key（Base64）和 iv（Hex）
-    String encryptKey = "VI6BpyrK9XH4i4AIGe86tg==";
-    String hexIv = "6003f73ec441c3866003f73ec441c386";
     String plainText = "{\"userId\":\"12345\",\"amount\":100}";
 
-    String encrypted = WxMaCryptUtils.encryptWithEncryptKey(encryptKey, hexIv, plainText);
+    String encrypted = WxMaCryptUtils.encryptWithEncryptKey(ENCRYPT_KEY, HEX_IV, plainText);
     assertThat(encrypted).isNotNull().isNotEmpty();
 
-    String decrypted = WxMaCryptUtils.decryptWithEncryptKey(encryptKey, hexIv, encrypted);
+    String decrypted = WxMaCryptUtils.decryptWithEncryptKey(ENCRYPT_KEY, HEX_IV, encrypted);
     assertThat(decrypted).isEqualTo(plainText);
   }
 
   /**
-   * 测试使用已知密文验证解密结果（加密网络通道）.
+   * 测试加密网络通道的加解密对称性（不同明文）.
    */
   @Test
-  public void testDecryptWithEncryptKey() {
-    String encryptKey = "VI6BpyrK9XH4i4AIGe86tg==";
-    String hexIv = "6003f73ec441c3866003f73ec441c386";
+  public void testEncryptDecryptSymmetryWithEncryptKey() {
     String plainText = "hello miniprogram";
 
-    // 先加密再解密，验证对称性
-    String encrypted = WxMaCryptUtils.encryptWithEncryptKey(encryptKey, hexIv, plainText);
-    String decrypted = WxMaCryptUtils.decryptWithEncryptKey(encryptKey, hexIv, encrypted);
+    String encrypted = WxMaCryptUtils.encryptWithEncryptKey(ENCRYPT_KEY, HEX_IV, plainText);
+    String decrypted = WxMaCryptUtils.decryptWithEncryptKey(ENCRYPT_KEY, HEX_IV, encrypted);
     assertThat(decrypted).isEqualTo(plainText);
   }
 }
