fix：multi-thread safety vulnerabilities（修复格式化对象非线程安全的漏洞）

2025-07-17 00:00:04 +08:00 · 2024-10-17 11:11:28 +08:00 · 2024-10-17 11:11:28 +08:00 · 9bab361618
commit 9bab361618
parent 01e15bda39
1 changed files with 18 additions and 13 deletions
--- a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/response/WorkerStatusVO.java
+++ b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/response/WorkerStatusVO.java
@ -6,7 +6,7 @@ import tech.powerjob.common.model.SystemMetrics;
 import tech.powerjob.common.utils.CommonUtils;
 import tech.powerjob.server.common.module.WorkerInfo;

-import java.text.DecimalFormat;
+import java.text.NumberFormat;

 /**
 * Worker机器状态
@ -51,32 +51,37 @@ public class WorkerStatusVO {

    private static final double THRESHOLD = 0.8;

-    // 使用 ThreadLocal 为每个线程提供独立的 DecimalFormat 实例
-    private static final ThreadLocal<DecimalFormat> DECIMAL_FORMAT_THREAD_LOCAL = ThreadLocal.withInitial(() -> new DecimalFormat("#.#"));
-
+    // 静态 NumberFormat 实例，线程安全
+    private static final NumberFormat NUMBER_FORMAT;
+    // 静态初始化块，配置 NumberFormat 的格式
+    static {
+        NUMBER_FORMAT = NumberFormat.getInstance();
+        // 设置最小小数位数为 0
+        NUMBER_FORMAT.setMinimumFractionDigits(0);
+        // 设置最大小数位数为 1
+        NUMBER_FORMAT.setMaximumFractionDigits(1);
+    }
    public WorkerStatusVO(WorkerInfo workerInfo) {
-        // 获取当前线程的 DecimalFormat 实例
-        DecimalFormat df = DECIMAL_FORMAT_THREAD_LOCAL.get();
        SystemMetrics systemMetrics = workerInfo.getSystemMetrics();

        this.status = 1;
        this.address = workerInfo.getAddress();
-        this.cpuLoad = String.format(CPU_FORMAT, df.format(systemMetrics.getCpuLoad()), systemMetrics.getCpuProcessors());
+        this.cpuLoad = String.format(CPU_FORMAT, NUMBER_FORMAT.format(systemMetrics.getCpuLoad()), systemMetrics.getCpuProcessors());
        if (systemMetrics.getCpuLoad() > systemMetrics.getCpuProcessors() * THRESHOLD) {
            this.status ++;
        }

-        String menL = df.format(systemMetrics.getJvmMemoryUsage() * 100);
-        String menUsed = df.format(systemMetrics.getJvmUsedMemory());
-        String menMax = df.format(systemMetrics.getJvmMaxMemory());
+        String menL = NUMBER_FORMAT.format(systemMetrics.getJvmMemoryUsage() * 100);
+        String menUsed = NUMBER_FORMAT.format(systemMetrics.getJvmUsedMemory());
+        String menMax = NUMBER_FORMAT.format(systemMetrics.getJvmMaxMemory());
        this.memoryLoad = String.format(OTHER_FORMAT, menL, menUsed, menMax);
        if (systemMetrics.getJvmMemoryUsage() > THRESHOLD) {
            this.status ++;
        }

-        String diskL = df.format(systemMetrics.getDiskUsage() * 100);
-        String diskUsed = df.format(systemMetrics.getDiskUsed());
-        String diskMax = df.format(systemMetrics.getDiskTotal());
+        String diskL = NUMBER_FORMAT.format(systemMetrics.getDiskUsage() * 100);
+        String diskUsed = NUMBER_FORMAT.format(systemMetrics.getDiskUsed());
+        String diskMax = NUMBER_FORMAT.format(systemMetrics.getDiskTotal());
        this.diskLoad = String.format(OTHER_FORMAT, diskL, diskUsed, diskMax);
        if (systemMetrics.getDiskUsage() > THRESHOLD) {
            this.status ++;