open-source/qinglong
1
0
Fork 0
mirror of https://github.com/whyour/qinglong.git synced 2026-06-28 02:45:08 +08:00
Code Issues Packages Projects Releases Wiki Activity
2,063 Commits 51 Branches 95 Tags 18 MiB
59a357f76f
Commit Graph

55 Commits

Author SHA1 Message Date
Flody.lee
59a357f76f fix(security): harden command injection, path traversal, auth surfaces 
Audit of the backend attack surface and fixes for the web-reachable
CRITICAL/HIGH issues. Adds back/shared/security.ts with centralized
hardening helpers (shellEscape, assertSafeDependenceName,
SUBSCRIPTION_PATTERNS, safeCompare, isSafeSshConfigValue).

- Subscription fields (url/branch/whitelist/blacklist/extensions/proxy)
  are now shell-escaped before reaching spawn() and validated with strict
  Joi patterns at the API, closing OS command injection and the
  downstream shell eval/git-arg-injection paths.
- Dependency names are validated before interpolation into
  pnpm/pip/apk/apt commands (incl. the embedded Python source).
- SSH config generation rejects newline/metachar injection in host/proxy
  (prevents injected ProxyCommand execution).
- ConfigService.getFile resolves the real path before containment check,
  fixing data/scripts/../db traversal that leaked the SQLite DB.
- /configs/save containment check fixed (sibling-dir write bypass).
- Script/env uploads use path.basename, preventing arbitrary file write
  (crontab.list/env.sh overwrite -> RCE) via multer originalname.
- JWT secret is generated and persisted per-install instead of the public
  default 'whyour-secret'; production refuses to boot without one.
- Token comparison is now constant-time (safeCompare).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-22 11:22:15 +08:00
whyour
96b4c90398 增加 sudo 命令判断 2026-06-13 00:53:41 +08:00
whyour
05f8fd3805 接口提示信息国际化 2026-06-11 02:19:04 +08:00
whyour
5f0dafa010 修复 cron-parser import,websocket basepath 2025-12-23 00:28:16 +08:00
Copilot
073de76a4a
Fix validation error when saving scripts in debug window (v2.20.0 regression) (#2862) 
* 更新版本 2.20.0

* Initial plan

* Fix validation error when saving scripts by allowing unknown fields in POST /scripts

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Revert version.yaml to 2.19.2 - should not include version bump in bug fix PR

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

---------

Co-authored-by: whyour <imwhyour@gmail.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
 2025-12-22 22:43:48 +08:00
whyour
c772fc9527 修复脚本调试保存文件错误 2025-12-11 01:52:47 +08:00
whyour
3b0f55caf4 修复任务实例默认值 2025-11-23 12:45:02 +08:00
涛之雨
f7472b6e74
Add input validation to script API routes (#2777) 
* Add input validation to script API routes

* 优化脚本 API 路由的错误处理逻辑

* Fix optional path compatibility checks

* remove file
 2025-10-11 23:20:26 +08:00
whyour
1c18668bad 修复文件下载参数 2025-05-22 00:09:19 +08:00
whyour
40a831f3a2 修复脚本管理查询逻辑 2025-04-25 01:40:37 +08:00
whyour
c0ec063333 修复删除脚本参数 2025-03-18 23:17:03 +08:00
whyour
cf94ecfb11 脚本管理和日志管理支持下载 2025-03-13 00:22:24 +08:00
whyour
05f8bbd26e 写入文件增加文件锁,避免竞争条件引起文件内容异常 2025-01-04 01:22:29 +08:00
whyour
a0613d0f39 修复文件越权访问 2024-09-04 23:25:48 +08:00
whyour
f723631647 修复脚本管理上传文件文件名乱码 2024-04-22 22:39:27 +08:00
whyour
e83058c3bc 兼容脚本、日志、配置文件详情接口 2024-02-08 20:47:03 +08:00
whyour
0ae1f284ec 修改脚本详情和日志详情接口 2024-01-29 21:47:03 +08:00
whyour
2713942a68 脚本管理忽略符号文件 2023-12-23 00:28:31 +08:00
whyour
f8aba4b1fb 日志和脚本增加文件大小展示,修改脚本管理列表排序 2023-12-21 09:57:06 +08:00
whyour
20f615eadf fs 文件操作替换为 fs.promise 2023-11-01 16:44:34 +08:00
whyour
ec5b885476 修改任务队列执行日志 2023-10-06 02:34:40 +08:00
whyour
a864a56917 修复调试脚本日志丢失 2023-09-22 00:46:16 +08:00
whyour
40e8041401 修复退出调试自动删除调试日志目录 2023-08-22 22:18:18 +08:00
whyour
41521f1d08 修复 token 任务脚本路径,容器启动 bot 2023-05-13 01:10:49 +08:00
whyour
a2d9f1a5db 脚本管理支持重命名文件/文件夹 2022-12-27 16:02:15 +08:00
whyour
b95fb9cda4 修改退出进程逻辑 2022-12-05 15:26:22 +08:00
whyour
25b03d4345 脚本管理支持删除文件夹 2022-09-23 19:12:51 +08:00
whyour
1e55f4065d 升级umi4.0,修复新建脚本 2022-09-18 20:40:59 +08:00
whyour
967071ad4e 脚本管理支持新增文件夹 2022-09-16 00:14:10 +08:00
whyour
b009d3e3fd 修复无法更新脚本内容为空 2022-06-08 23:57:22 +08:00
whyour
6d42a680b1 移除console 2022-06-08 18:39:10 +08:00
whyour
c4a4764762 移除无用日志 2022-06-08 11:12:15 +08:00
whyour
3b5bcf8f16 修复调试脚本目录 2022-06-05 21:25:09 +08:00
whyour
8735321e34 修复调试脚本运行需要先保存 2022-06-05 19:26:32 +08:00
whyour
106b34e33a 新建脚本支持文件上传 2022-06-04 00:12:26 +08:00
whyour
76b6677f5a 修复日志获取 2022-05-24 10:00:42 +08:00
whyour
af74afd10d 修复获取脚本列表 2022-05-23 19:22:20 +08:00
whyour
d96206ef66 修改新建订阅字段提示 2022-05-21 00:12:12 +08:00
whyour
1695b8c0fe 统一api错误提示 2022-05-17 23:31:29 +08:00
whyour
2e6ca5419d 调试脚本增加停止,修复调试交互 2021-12-23 23:25:39 +08:00
whyour
46aaeb4eac 增加系统openapi 2021-12-21 23:22:34 +08:00
whyour
2f5e946979 修复调试运行时文件路径 2021-11-23 23:36:43 +08:00
whyour
40b0e90c0d 修复调试功能 2021-11-20 01:06:25 +08:00
whyour
96b0127811 修复脚本管理删除、新建增加选择父目录 2021-11-16 14:18:02 +08:00
whyour
6a81ba9069 修复脚本管理树结构 2021-11-13 11:14:43 +08:00
whyour
a2ce3304de 修复脚本管理数据 2021-11-12 23:18:24 +08:00
whyour
ee0b47d101 修改workflow变量 2021-11-12 22:09:02 +08:00
whyour
50dd235e39 脚本管理改成树结构 2021-11-11 00:10:05 +08:00
hanhh
900d279bf6 修复新建文件 2021-09-20 00:59:38 +08:00
hanhh
0baf0d23ae 脚本管理支持新增文件 2021-09-19 21:23:03 +08:00