open-source/qinglong
1
0
Fork 0
mirror of https://github.com/whyour/qinglong.git synced 2026-06-28 10:55:10 +08:00
Code Issues Packages Projects Releases Wiki Activity
2,063 Commits 51 Branches 95 Tags 18 MiB
59a357f76f
Commit Graph

73 Commits

Author SHA1 Message Date
Flody.lee
59a357f76f fix(security): harden command injection, path traversal, auth surfaces 
Audit of the backend attack surface and fixes for the web-reachable
CRITICAL/HIGH issues. Adds back/shared/security.ts with centralized
hardening helpers (shellEscape, assertSafeDependenceName,
SUBSCRIPTION_PATTERNS, safeCompare, isSafeSshConfigValue).

- Subscription fields (url/branch/whitelist/blacklist/extensions/proxy)
  are now shell-escaped before reaching spawn() and validated with strict
  Joi patterns at the API, closing OS command injection and the
  downstream shell eval/git-arg-injection paths.
- Dependency names are validated before interpolation into
  pnpm/pip/apk/apt commands (incl. the embedded Python source).
- SSH config generation rejects newline/metachar injection in host/proxy
  (prevents injected ProxyCommand execution).
- ConfigService.getFile resolves the real path before containment check,
  fixing data/scripts/../db traversal that leaked the SQLite DB.
- /configs/save containment check fixed (sibling-dir write bypass).
- Script/env uploads use path.basename, preventing arbitrary file write
  (crontab.list/env.sh overwrite -> RCE) via multer originalname.
- JWT secret is generated and persisted per-install instead of the public
  default 'whyour-secret'; production refuses to boot without one.
- Token comparison is now constant-time (safeCompare).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-22 11:22:15 +08:00
whyour
3044f63f03 修复国际化文案 2026-06-21 23:53:32 +08:00
whyour
949d956aef grpc 服务增加证书校验 2026-06-13 20:16:49 +08:00
whyour
05f8fd3805 接口提示信息国际化 2026-06-11 02:19:04 +08:00
whyour
3464c4da61 fix IPv6 connectivity 2026-05-06 01:29:01 +08:00
Copilot
dc0b3f2eb2
Fix QlBaseUrl: use URL rewrite for base path support (#2876) 
* Initial plan

* Add QlBaseUrl support to backend routes

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Fix whitelist check to use base-URL-aware paths

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Update websocket and frontend to support base URL

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Address code review feedback: fix JWT regex and path construction

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Fix path construction: use req.path directly for whitelist check

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Add clarifying comments and improve code readability

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Apply code review suggestions: improve clarity and simplify logic

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Simplify baseUrl implementation using URL rewrite

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
 2025-12-22 23:44:29 +08:00
Copilot
48abf44ceb
feat: Support multiple concurrent login sessions per platform (#2816) 
* Initial plan

* Implement multi-device login support - allow multiple concurrent sessions

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Address code review feedback - extract constants and utility functions

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Add validation and logging improvements based on code review

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Revert unnecessary file changes - keep only multi-device login feature files

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
 2025-11-19 00:18:29 +08:00
whyour
18f27a9a69 移除 nginx 2025-11-02 19:29:59 +08:00
whyour
ef9e38f167 备份数据支持选择模块,支持清除依赖缓存 2025-06-22 14:25:19 +08:00
whyour
394e96bbf8 修复 health 接口报错 2025-06-07 00:25:47 +08:00
whyour
d871585eee 修改服务启动逻辑 2025-05-07 09:30:00 +08:00
whyour
f9f78b4e05 修改系统内置通知模块名称,避免重复 2025-02-25 00:32:13 +08:00
whyour
51ef4e7476 修改任务状态更新失败提示,重复运行提示 2025-01-12 00:19:14 +08:00
whyour
ff98c3a499 修复任务跳转脚本未显示文件大小,订阅删除未删除 repo 目录 2024-09-08 21:08:15 +08:00
whyour
65f7483688 修复任务频繁运行通知 2024-08-25 16:28:32 +08:00
whyour
eb5cc3943d Javascript 和 Python 增加内置函数 QLAPI.notify 2024-07-21 01:15:16 +08:00
whyour
e191aca41f 修改环境变量加载逻辑 2024-07-10 23:29:44 +08:00
whyour
71ba1534f2 增加自定写入 js 和 py 类型环境变量 2024-07-02 00:44:48 +08:00
whyour
7efe81df9e 修复 data 目录判断逻辑 2024-06-25 22:25:36 +08:00
whyour
68ad01e0e8 增加 update 服务 2024-03-10 22:07:06 +08:00
whyour
3777a4e7b4 系统设置增加依赖代理和镜像设置 2023-11-25 21:49:33 +08:00
whyour
e2bd15683e 修复 JSON.parse 错误,修复删除环境变量名称过长 2023-08-27 12:41:06 +08:00
whyour
4f7649f157 系统设置增加系统运行日志 2023-08-21 00:10:43 +08:00
whyour
8b0dedaf8c 修复 linux 依赖是否存在判断 2023-07-24 22:02:26 +08:00
whyour
88b87de391 增加数据备份功能 2023-07-16 00:23:29 +08:00
whyour
490bdc15f6 支持非根目录部署 2023-05-19 01:10:33 +08:00
whyour
b27ee23cc3 重构私有仓库ssh配置逻辑 2023-04-06 13:38:55 +08:00
whyour
0ab756665e 修改版本文件 2022-12-28 11:06:47 +08:00
whyour
fb4a87f5ce 修复版本文件缓存 2022-11-05 15:23:17 +08:00
whyour
2ba8756bd3 修改cdn协议 2022-10-30 12:00:12 +08:00
whyour
23bfbeb995 修改新建订阅提示 2022-09-21 14:54:45 +08:00
whyour
55ffd85d48 修改环境变量加载路径 2022-07-18 16:16:12 +08:00
whyour
075165f89d 修复ql_dir环境变量 2022-07-18 16:09:34 +08:00
whyour
42dabbf4c0 修复内置token获取 2022-07-18 16:06:04 +08:00
whyour
999b5d325f 修复初始化环境变量 2022-07-18 16:05:57 +08:00
whyour
027c3f584c 修改QL_DIR环境变量 2022-07-18 16:05:42 +08:00
whyour
57e7d756cb 修改系统内部获取token方式 2022-06-14 22:43:18 +08:00
whyour
fb6a80e306 支持更换头像 2022-05-09 15:31:41 +08:00
whyour
03e6f18e54 修复获取最新version文件 2022-04-24 18:43:09 +08:00
whyour
8b5347dd44 修改获取版本链接 2022-04-04 17:17:34 +08:00
whyour
8fac58d73f 七牛云改为http访问 2022-04-01 08:29:16 +08:00
whyour
ee52f09bcb 增加public服务,查询panel日志 2022-02-24 23:50:04 +08:00
whyour
f71b3d0378 版本文件改为七牛云存储 2022-02-19 22:48:06 +08:00
whyour
cf5f1b6f25 调整数据目录 2022-02-19 13:08:14 +08:00
whyour
3131f197b8 修复修改任务状态本地免认证 2022-01-25 22:52:27 +08:00
whyour
03c9f79549 修复登录退出接口路径 2021-12-21 23:42:05 +08:00
whyour
46aaeb4eac 增加系统openapi 2021-12-21 23:22:34 +08:00
whyour
fae26efb88 检测更新增加强制更新 2021-11-27 20:19:49 +08:00
whyour
2eed5cba14 增加初始化依赖目录及文件 2021-11-20 01:06:25 +08:00
whyour
795d1b938d 添加依赖管理 2021-10-23 18:23:32 +08:00