open-source/qinglong
1
0
Fork 0
mirror of https://github.com/whyour/qinglong.git synced 2026-06-28 02:45:08 +08:00
Code Issues Packages Projects Releases Wiki Activity
2,064 Commits 51 Branches 95 Tags 18 MiB
343d19a470
Commit Graph

15 Commits

Author SHA1 Message Date
Flody.lee
59a357f76f fix(security): harden command injection, path traversal, auth surfaces 
Audit of the backend attack surface and fixes for the web-reachable
CRITICAL/HIGH issues. Adds back/shared/security.ts with centralized
hardening helpers (shellEscape, assertSafeDependenceName,
SUBSCRIPTION_PATTERNS, safeCompare, isSafeSshConfigValue).

- Subscription fields (url/branch/whitelist/blacklist/extensions/proxy)
  are now shell-escaped before reaching spawn() and validated with strict
  Joi patterns at the API, closing OS command injection and the
  downstream shell eval/git-arg-injection paths.
- Dependency names are validated before interpolation into
  pnpm/pip/apk/apt commands (incl. the embedded Python source).
- SSH config generation rejects newline/metachar injection in host/proxy
  (prevents injected ProxyCommand execution).
- ConfigService.getFile resolves the real path before containment check,
  fixing data/scripts/../db traversal that leaked the SQLite DB.
- /configs/save containment check fixed (sibling-dir write bypass).
- Script/env uploads use path.basename, preventing arbitrary file write
  (crontab.list/env.sh overwrite -> RCE) via multer originalname.
- JWT secret is generated and persisted per-install instead of the public
  default 'whyour-secret'; production refuses to boot without one.
- Token comparison is now constant-time (safeCompare).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-22 11:22:15 +08:00
whyour
5f0dafa010 修复 cron-parser import,websocket basepath 2025-12-23 00:28:16 +08:00
whyour
1deb264913 升级 cron-parser 2025-11-11 00:37:03 +08:00
whyour
8b042d90f3 修复删除日志命令 2024-08-24 22:43:09 +08:00
whyour
b4e5db9da9 删除订阅支持自动删除任务和脚本 2023-07-30 21:15:46 +08:00
whyour
76fa82c3a7 订阅支持自动添加和删除任务设置 2023-02-09 00:20:28 +08:00
whyour
0a6166c557 订阅增加代理参数 2022-11-13 23:58:42 +08:00
whyour
c4a4764762 移除无用日志 2022-06-08 11:12:15 +08:00
whyour
471e778a61 修改interval_schedule验证 2022-05-30 10:26:30 +08:00
whyour
8d46115823 修复切换订阅interval 2022-05-26 14:41:22 +08:00
whyour
189826c5db 订阅增加before/after 2022-05-20 01:15:45 +08:00
whyour
7caabe9063 完善拉取私有仓库 2022-05-18 01:14:10 +08:00
whyour
f6a122e5ea 更新新建文件订阅 2022-05-15 15:25:23 +08:00
whyour
5523d537dc 完善订阅接口 2022-05-14 21:38:26 +08:00
whyour
419c5a7c5b 增加订阅api 2022-05-10 19:54:05 +08:00