open-source/qinglong
1
0
Fork 0
mirror of https://github.com/whyour/qinglong.git synced 2026-03-13 15:05:10 +08:00
Code Issues Packages Projects Releases Wiki Activity
2,050 Commits 50 Branches 94 Tags 15 MiB
0312f2b030
Commit Graph

2050 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
whyour
0312f2b030 更新 npm 版本 v2.17.12 2026-03-01 20:36:42 +08:00
whyour
efea9385ad 修改 debian 版本为 12 bookworm 2026-03-01 20:36:42 +08:00
whyour
ad18dd8624 更新 npm 版本 v2.17.11 2026-03-01 20:36:42 +08:00
whyour
efff526f32 更新 npm 版本 v2.17.10 2026-03-01 20:36:42 +08:00
whyour
eb6a758928 更新 npm 版本 v2.17.9 2026-03-01 20:36:42 +08:00
whyour
bc64ec230e 修复 qinglong 命令 2026-03-01 20:36:42 +08:00
whyour
f421dd43bd 更新 npm 版本 v2.17.8 2026-03-01 20:36:42 +08:00
whyour
247a2f23da npm 启动增加 reload 逻辑 2026-03-01 20:36:42 +08:00
whyour
f1453dccf2 修改 ts 文件执行依赖 2026-03-01 20:36:42 +08:00
whyour
9e9ee67673 更新 npm 版本 v0.21.2 2026-03-01 20:36:42 +08:00
whyour
d4e3fde32a 修改 apt 命令 2026-03-01 20:36:42 +08:00
whyour
0215b7f3a8 安装 linux 依赖自动识别 alpine 和 debian 2026-03-01 20:36:42 +08:00
whyour
ec5c6f2ab2 更新 npm 版本 v0.20.4 2026-03-01 20:36:42 +08:00
whyour
b624b96068 修复 debian netcat 包名 2026-03-01 20:36:42 +08:00
whyour
af5564508f 更新 npm 版本 v0.19.9 2026-03-01 20:36:42 +08:00
whyour
09087df0c9 修改 npm 安装启动命令 2026-03-01 20:36:42 +08:00
whyour
3a760097e2 更新 npm 版本 v0.18.0 2026-03-01 20:36:42 +08:00
whyour
adbc3137bc 更新 npm 版本 v0.17.0 2026-03-01 20:36:42 +08:00
whyour
e151085804 修复 linux 镜像源 2026-03-01 20:36:42 +08:00
whyour
957b5684bb 更新 npm 版本 v0.16.0 2026-03-01 20:36:42 +08:00
whyour
e781d0039c 更新 workflow action 版本 2026-03-01 20:36:41 +08:00
whyour
6371d1f49d 增加 npx 命令 2026-03-01 20:36:41 +08:00
whyour
5b32871b3f 更新 npm 版本 v0.14.5 2026-03-01 20:36:41 +08:00
whyour
98fc5bae50 修复 workflow 2026-03-01 20:36:41 +08:00
whyour
57d0af0a6c 移除 qinglong 命令 npm 默认镜像源 2026-03-01 20:36:41 +08:00
whyour
f156c04e11 修复 qinglong 命令 2026-03-01 20:36:41 +08:00
whyour
8033558c27 修改切换 linux 镜像源 2026-03-01 20:36:41 +08:00
whyour
7cc8a7a5e7 增加 debian 开发版本 2026-03-01 20:36:41 +08:00
whyour
dde45d0036 更新 npm 版本 v0.13.2 2026-03-01 20:36:41 +08:00
whyour
8b7d4c29a4 修复 qinglong 命令 2026-03-01 20:36:41 +08:00
whyour
c49bbf3ff1 修复 shell check_server 2026-03-01 20:36:41 +08:00
whyour
2a3223fbe7 修复拉取私有仓库 2026-03-01 20:36:41 +08:00
dream10201
38bce51ee7 修复linux依赖检测 (#2082) 2026-03-01 20:36:41 +08:00
whyour
90041367c6 更新 npm v0.8.4 2026-03-01 20:36:41 +08:00
whyour
ae122a77e8 更新 npm 版本 0.7.7 2026-03-01 20:36:41 +08:00
whyour
9c3553c0e7 修复 debian apt 命令,支持 qinglong 命令 2026-03-01 20:36:41 +08:00
whyour
407618fa04 增加 debian-slim 基础镜像 2026-03-01 20:36:41 +08:00
whyour
ade5d857f7 修改获取示例文件 api path 2026-03-01 20:36:41 +08:00
whyour
275d8af4e2 更新版本 v2.20.2 2026-03-01 20:35:25 +08:00
whyour
544c432f49 修复 PATH 环境变量 2026-03-01 20:35:19 +08:00
Copilot
6bec52dca1
Fix /open/user/init auth bypass allowing credential reset on initialized systems (#2941) 
* Initial plan

* fix: add /open/user/init paths to init guard to prevent auth bypass

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
Co-authored-by: whyour <imwhyour@gmail.com>
 2026-03-01 18:02:21 +08:00
rockymelody
ce599d306f
青龙面板鉴权绕过漏洞已修复 (#2935) 
已实施的安全加固措施
第一层防御:启用Express严格路由(第17-18行)
app.set('case sensitive routing', true);  // 路由大小写敏感
app.set('strict routing', true);           // 严格路由匹配
第二层防御:路径标准化检查中间件(第23-37行)
app.use((req, res, next) => {
  const originalPath = req.path;
  const normalizedPath = originalPath.toLowerCase();

  // 检测并拦截大小写混淆攻击
  if (originalPath !== normalizedPath &&
      (normalizedPath.startsWith('/api/') || normalizedPath.startsWith('/open/'))) {
    return res.status(400).json({
      code: 400,
      message: 'Invalid path format'
    });
  }

  next();
});
作用:主动检测并拒绝含有大小写变体的恶意请求
第三层防御:JWT中间件正则表达式修复(第59行)
// 修复前:
path: [...config.apiWhiteList, /^\/(?!api\/).*/],

// 修复后:添加大小写不敏感标志 'i'
path: [...config.apiWhiteList, /^(\/(?!api\/).*)$/i],
作用:防御正则匹配层面的绕过
第四层防御:自定义Token中间件路径标准化(第74-87行)
// 修复前:
if (!['/open/', '/api/'].some((x) => req.path.startsWith(x))) {

// 修复后:统一转小写比较
const pathLower = req.path.toLowerCase();
if (!['/open/', '/api/'].some((x) => pathLower.startsWith(x))) {
}
作用:确保Token验证逻辑对所有路径变体生效

第五层防御:初始化接口路径检查修复(第122-123行)
// 修复前:
if (!['/api/user/init', '/api/user/notification/init'].includes(req.path)) {

// 修复后:
const pathLower = req.path.toLowerCase();
if (!['/api/user/init', '/api/user/notification/init'].includes(pathLower)) {
 2026-03-01 17:44:03 +08:00
whyour
d53437d169 更新 2.20.1 2025-12-26 21:17:30 +08:00
whyour
d526602d19 修复运行中任务停止操作 2025-12-26 01:07:08 +08:00
whyour
91b44914f6 修复环境变量排序 2025-12-26 00:41:32 +08:00
whyour
4f6c93cc1c 更新 workflow 2025-12-24 01:03:21 +08:00
whyour
e326d89571 修复 apiWhiteList 路径 2025-12-23 00:58:09 +08:00
whyour
5f0dafa010 修复 cron-parser import,websocket basepath 2025-12-23 00:28:16 +08:00
Copilot
dc0b3f2eb2
Fix QlBaseUrl: use URL rewrite for base path support (#2876) 
* Initial plan

* Add QlBaseUrl support to backend routes

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Fix whitelist check to use base-URL-aware paths

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Update websocket and frontend to support base URL

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Address code review feedback: fix JWT regex and path construction

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Fix path construction: use req.path directly for whitelist check

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Add clarifying comments and improve code readability

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Apply code review suggestions: improve clarity and simplify logic

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Simplify baseUrl implementation using URL rewrite

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
 2025-12-22 23:44:29 +08:00
Copilot
3db716763d
Fix cron-parser v5 bundling incompatibility causing validation failures (#2877) 
* Initial plan

* Fix: Use default import for cron-parser to ensure browser compatibility

Changed from named export `{ CronExpressionParser }` to default export `cronParser` and access `CronExpressionParser` through it. This ensures compatibility with webpack/UmiJS bundling for browser environments while maintaining backend functionality.

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
 2025-12-22 23:43:54 +08:00