diff --git a/back/data/cron.ts b/back/data/cron.ts index b234d59c..422b58e4 100644 --- a/back/data/cron.ts +++ b/back/data/cron.ts @@ -21,6 +21,7 @@ export class Crontab { extra_schedules?: Array<{ schedule: string }>; task_before?: string; task_after?: string; + log_name?: string; constructor(options: Crontab) { this.name = options.name; @@ -45,6 +46,7 @@ export class Crontab { this.extra_schedules = options.extra_schedules; this.task_before = options.task_before; this.task_after = options.task_after; + this.log_name = options.log_name; } } @@ -55,7 +57,7 @@ export enum CrontabStatus { 'disabled', } -export interface CronInstance extends Model, Crontab { } +export interface CronInstance extends Model, Crontab {} export const CrontabModel = sequelize.define('Crontab', { name: { unique: 'compositeIndex', @@ -84,4 +86,5 @@ export const CrontabModel = sequelize.define('Crontab', { extra_schedules: DataTypes.JSON, task_before: DataTypes.STRING, task_after: DataTypes.STRING, + log_name: DataTypes.STRING, }); diff --git a/back/loaders/db.ts b/back/loaders/db.ts index ac142a2d..8dd00ca8 100644 --- a/back/loaders/db.ts +++ b/back/loaders/db.ts @@ -56,6 +56,11 @@ export default async () => { try { await sequelize.query('alter table Crontabs add column task_after TEXT'); } catch (error) {} + try { + await sequelize.query( + 'alter table Crontabs add column log_name VARCHAR(255)', + ); + } catch (error) {} Logger.info('✌️ DB loaded'); } catch (error) { diff --git a/back/services/cron.ts b/back/services/cron.ts index a838ce9e..cbae3cc0 100644 --- a/back/services/cron.ts +++ b/back/services/cron.ts @@ -476,15 +476,61 @@ export default class CronService { `[panel][开始执行任务] 参数: ${JSON.stringify(params)}`, ); - let { id, command, log_path } = cron; - const uniqPath = await getUniqPath(command, `${id}`); - const logTime = dayjs().format('YYYY-MM-DD-HH-mm-ss-SSS'); - const logDirPath = path.resolve(config.logPath, `${uniqPath}`); - if (log_path?.split('/')?.every((x) => x !== uniqPath)) { - await fs.mkdir(logDirPath, { recursive: true }); + let { id, command, log_path, log_name } = cron; + + // Check if log_name is an absolute path + const isAbsolutePath = log_name && log_name.startsWith('/'); + + let uniqPath: string; + let absolutePath: string; + let logPath: string; + + if (isAbsolutePath) { + // Special case: /dev/null is allowed as-is to discard logs + if (log_name === '/dev/null') { + uniqPath = log_name; + absolutePath = log_name; + logPath = log_name; + } else { + // For other absolute paths, ensure they are within the safe log directory + const normalizedLogName = path.normalize(log_name!); + const normalizedLogPath = path.normalize(config.logPath); + + if (!normalizedLogName.startsWith(normalizedLogPath)) { + this.logger.error( + `[panel][日志路径安全检查失败] 绝对路径必须在日志目录内: ${log_name}`, + ); + // Fallback to auto-generated path for security + const fallbackUniqPath = await getUniqPath(command, `${id}`); + const logTime = dayjs().format('YYYY-MM-DD-HH-mm-ss-SSS'); + const logDirPath = path.resolve(config.logPath, `${fallbackUniqPath}`); + if (log_path?.split('/')?.every((x) => x !== fallbackUniqPath)) { + await fs.mkdir(logDirPath, { recursive: true }); + } + logPath = `${fallbackUniqPath}/${logTime}.log`; + absolutePath = path.resolve(config.logPath, `${logPath}`); + uniqPath = fallbackUniqPath; + } else { + // Absolute path is safe, use it + uniqPath = log_name!; + absolutePath = log_name!; + logPath = log_name!; + } + } + } else { + // Sanitize log_name to prevent path traversal for relative paths + const sanitizedLogName = log_name + ? log_name.replace(/[\/\\\.]/g, '_').replace(/^_+|_+$/g, '') + : ''; + uniqPath = sanitizedLogName || (await getUniqPath(command, `${id}`)); + const logTime = dayjs().format('YYYY-MM-DD-HH-mm-ss-SSS'); + const logDirPath = path.resolve(config.logPath, `${uniqPath}`); + if (log_path?.split('/')?.every((x) => x !== uniqPath)) { + await fs.mkdir(logDirPath, { recursive: true }); + } + logPath = `${uniqPath}/${logTime}.log`; + absolutePath = path.resolve(config.logPath, `${logPath}`); } - const logPath = `${uniqPath}/${logTime}.log`; - const absolutePath = path.resolve(config.logPath, `${logPath}`); const cp = spawn( `real_log_path=${logPath} no_delay=true ${this.makeCommand( cron, diff --git a/back/validation/schedule.ts b/back/validation/schedule.ts index a280156a..3a429ed1 100644 --- a/back/validation/schedule.ts +++ b/back/validation/schedule.ts @@ -1,6 +1,8 @@ import { Joi } from 'celebrate'; import cron_parser from 'cron-parser'; import { ScheduleType } from '../interface/schedule'; +import path from 'path'; +import config from '../config'; const validateSchedule = (value: string, helpers: any) => { if ( @@ -37,4 +39,43 @@ export const commonCronSchema = { extra_schedules: Joi.array().optional().allow(null), task_before: Joi.string().optional().allow('').allow(null), task_after: Joi.string().optional().allow('').allow(null), + log_name: Joi.string() + .optional() + .allow('') + .allow(null) + .custom((value, helpers) => { + if (!value) return value; + + // Check if it's an absolute path + if (value.startsWith('/')) { + // Allow /dev/null as special case + if (value === '/dev/null') { + return value; + } + + // For other absolute paths, ensure they are within the safe log directory + const normalizedValue = path.normalize(value); + const normalizedLogPath = path.normalize(config.logPath); + + if (!normalizedValue.startsWith(normalizedLogPath)) { + return helpers.error('string.unsafePath'); + } + + return value; + } + + // For relative names, enforce strict pattern + if (!/^[a-zA-Z0-9_-]+$/.test(value)) { + return helpers.error('string.pattern.base'); + } + if (value.length > 100) { + return helpers.error('string.max'); + } + return value; + }) + .messages({ + 'string.pattern.base': '日志名称只能包含字母、数字、下划线和连字符', + 'string.max': '日志名称不能超过100个字符', + 'string.unsafePath': '绝对路径必须在日志目录内或使用 /dev/null', + }), }; diff --git a/src/locales/en-US.json b/src/locales/en-US.json index 9a21ef3a..7d1e7675 100644 --- a/src/locales/en-US.json +++ b/src/locales/en-US.json @@ -521,5 +521,14 @@ "远程仓库缓存": "Remote repository cache", "SSH 文件缓存": "SSH file cache", "清除依赖缓存": "Clean dependency cache", - "清除成功": "Clean successful" + "清除成功": "Clean successful", + "日志名称": "Log Name", + "自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成": "Custom log folder name to distinguish logs from different tasks. Leave blank to auto-generate", + "自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成。支持绝对路径如 /dev/null": "Custom log folder name to distinguish logs from different tasks. Leave blank to auto-generate. Supports absolute paths like /dev/null", + "自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成。支持 /dev/null 丢弃日志,其他绝对路径必须在日志目录内": "Custom log folder name to distinguish logs from different tasks. Leave blank to auto-generate. Supports /dev/null to discard logs, other absolute paths must be within log directory", + "请输入自定义日志文件夹名称": "Please enter a custom log folder name", + "请输入自定义日志文件夹名称或绝对路径": "Please enter a custom log folder name or absolute path", + "请输入自定义日志文件夹名称或 /dev/null": "Please enter a custom log folder name or /dev/null", + "日志名称只能包含字母、数字、下划线和连字符": "Log name can only contain letters, numbers, underscores and hyphens", + "日志名称不能超过100个字符": "Log name cannot exceed 100 characters" } diff --git a/src/locales/zh-CN.json b/src/locales/zh-CN.json index c19d6984..97e97f20 100644 --- a/src/locales/zh-CN.json +++ b/src/locales/zh-CN.json @@ -521,5 +521,14 @@ "远程仓库缓存": "远程仓库缓存", "SSH 文件缓存": "SSH 文件缓存", "清除依赖缓存": "清除依赖缓存", - "清除成功": "清除成功" + "清除成功": "清除成功", + "日志名称": "日志名称", + "自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成": "自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成", + "自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成。支持绝对路径如 /dev/null": "自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成。支持绝对路径如 /dev/null", + "自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成。支持 /dev/null 丢弃日志,其他绝对路径必须在日志目录内": "自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成。支持 /dev/null 丢弃日志,其他绝对路径必须在日志目录内", + "请输入自定义日志文件夹名称": "请输入自定义日志文件夹名称", + "请输入自定义日志文件夹名称或绝对路径": "请输入自定义日志文件夹名称或绝对路径", + "请输入自定义日志文件夹名称或 /dev/null": "请输入自定义日志文件夹名称或 /dev/null", + "日志名称只能包含字母、数字、下划线和连字符": "日志名称只能包含字母、数字、下划线和连字符", + "日志名称不能超过100个字符": "日志名称不能超过100个字符" } diff --git a/src/pages/crontab/modal.tsx b/src/pages/crontab/modal.tsx index 6a7c0492..d010adbe 100644 --- a/src/pages/crontab/modal.tsx +++ b/src/pages/crontab/modal.tsx @@ -180,6 +180,42 @@ const CronModal = ({ + { + if (!value) return Promise.resolve(); + // Allow /dev/null specifically + if (value === '/dev/null') return Promise.resolve(); + // Warn about other absolute paths (server will validate) + if (value.startsWith('/')) { + // We can't validate the exact path on frontend, but inform user + return Promise.resolve(); + } + // For relative names, enforce strict pattern + if (!/^[a-zA-Z0-9_-]+$/.test(value)) { + return Promise.reject( + intl.get('日志名称只能包含字母、数字、下划线和连字符'), + ); + } + if (value.length > 100) { + return Promise.reject(intl.get('日志名称不能超过100个字符')); + } + return Promise.resolve(); + }, + }, + ]} + > + +