From 77c9cc6a6dab8910e7a97ebd8e3b8e836a26dc73 Mon Sep 17 00:00:00 2001
From: Vasiliy Mikhailov <vasiliy.mikhailov@gmail.com>
Date: Wed, 24 Jun 2026 23:10:45 +0300
Subject: [PATCH] Mask secret query parameter when it is the last parameter

handleDataWithSecret masks the secret value before logging, but the regex &secret=\w+& requires a trailing &. When secret is the last query parameter (e.g. appid=wx123&secret=abc123) there is no trailing &, so it is not masked and leaks in logs. Drop the trailing-& requirement so the value is masked regardless of position; the middle-parameter case is unchanged. Adds a regression test.
---
 .../java/me/chanjar/weixin/common/util/DataUtils.java    | 2 +-
 .../me/chanjar/weixin/common/util/DataUtilsTest.java     | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/DataUtils.java b/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/DataUtils.java
index b8fb42e0e9..c6f441b525 100644
--- a/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/DataUtils.java
+++ b/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/DataUtils.java
@@ -18,7 +18,7 @@ public class DataUtils {
   public static <E> E handleDataWithSecret(E data) {
     E dataForLog = data;
     if(data instanceof String && StringUtils.contains((String)data, "&secret=")){
-      dataForLog = (E) RegExUtils.replaceAll((String)data,"&secret=\\w+&","&secret=******&");
+      dataForLog = (E) RegExUtils.replaceAll((String)data,"&secret=\\w+","&secret=******");
     }
     return dataForLog;
   }
diff --git a/weixin-java-common/src/test/java/me/chanjar/weixin/common/util/DataUtilsTest.java b/weixin-java-common/src/test/java/me/chanjar/weixin/common/util/DataUtilsTest.java
index f5732d9a0b..1794c3d4dd 100644
--- a/weixin-java-common/src/test/java/me/chanjar/weixin/common/util/DataUtilsTest.java
+++ b/weixin-java-common/src/test/java/me/chanjar/weixin/common/util/DataUtilsTest.java
@@ -19,4 +19,13 @@ public void testHandleDataWithSecret() {
     final String s = DataUtils.handleDataWithSecret(data);
     assertTrue(s.contains("&secret=******&"));
   }
+
+  @Test
+  public void testHandleDataWithSecretAtEnd() {
+    // Secret is the last parameter in the query string, so there is no trailing &
+    String data = "appid=wx123&secret=abc123";
+    final String s = DataUtils.handleDataWithSecret(data);
+    assertFalse(s.contains("abc123"), "Secret at the end of the string should be masked");
+    assertTrue(s.contains("secret=******"), "Secret should be replaced with asterisks");
+  }
 }