open-source/qinglong
1
0
Fork 0
mirror of https://github.com/whyour/qinglong.git synced 2026-03-13 06:55:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix auth bypass: normalize URL path to lowercase before JWT/auth checks

Browse Source 
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2026-03-01 09:39:35 +00:00
parent eaafaf3dfc
commit ee8fb68839
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
back/loaders/express.ts
View File

@ -22,6 +22,14 @@ export default ({ app }: { app: Application }) => {
app.use(rewrite(`${config.baseUrl}/*`, '/$1')); app.use(rewrite(`${config.baseUrl}/*`, '/$1'));
} }
// Normalize URL path to lowercase to prevent authentication bypass via mixed-case paths
// e.g. /API/system/command-run should not bypass JWT checks designed for /api/...
// The regex only matches the path portion (stops at ? or #), preserving query strings.
app.use((req: Request, res: Response, next: NextFunction) => {
req.url = req.url.replace(/^[^?#]*/, (p) => p.toLowerCase());
next();
});
app.get(`${config.api.prefix}/env.js`, serveEnv); app.get(`${config.api.prefix}/env.js`, serveEnv);
app.use(`${config.api.prefix}/static`, express.static(config.uploadPath)); app.use(`${config.api.prefix}/static`, express.static(config.uploadPath));