Audit of the backend attack surface and fixes for the web-reachable
CRITICAL/HIGH issues. Adds back/shared/security.ts with centralized
hardening helpers (shellEscape, assertSafeDependenceName,
SUBSCRIPTION_PATTERNS, safeCompare, isSafeSshConfigValue).
- Subscription fields (url/branch/whitelist/blacklist/extensions/proxy)
are now shell-escaped before reaching spawn() and validated with strict
Joi patterns at the API, closing OS command injection and the
downstream shell eval/git-arg-injection paths.
- Dependency names are validated before interpolation into
pnpm/pip/apk/apt commands (incl. the embedded Python source).
- SSH config generation rejects newline/metachar injection in host/proxy
(prevents injected ProxyCommand execution).
- ConfigService.getFile resolves the real path before containment check,
fixing data/scripts/../db traversal that leaked the SQLite DB.
- /configs/save containment check fixed (sibling-dir write bypass).
- Script/env uploads use path.basename, preventing arbitrary file write
(crontab.list/env.sh overwrite -> RCE) via multer originalname.
- JWT secret is generated and persisted per-install instead of the public
default 'whyour-secret'; production refuses to boot without one.
- Token comparison is now constant-time (safeCompare).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Replace Yikun/hub-mirror-action with manual git push for Gitee mirrors. The action HTTPS API call to gitee.com timed out (60s). Use set +e with explicit notice/warning status. Also add .deepseek/ to .gitignore.
The data export feature (system backup) writes data.tgz to
`config.tmpPath` which resolves to `<rootPath>/.tmp/`. However,
`initFile.ts` only created `<dataPath>/log/.tmp/` (used for crontab
list temp files), never the root-level `.tmp/` directory.
In Docker deployments, `shell/share.sh`'s `fix_config()` creates
`$dir_root/.tmp` during shell initialization, but local/non-Docker
deployments that start the Node service directly skip the shell init,
causing a 404 ENOENT error when attempting to export/backup data.
Add `rootTmpPath` (`<rootPath>/.tmp/`) to the directories array in
`initFile.ts` so it is created during Node service startup regardless
of deployment method.
* Initial plan
* fix: use QlPort env variable in health check with fallback to default 5700
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
