open-source/qinglong
1
0
Fork 0
mirror of https://github.com/whyour/qinglong.git synced 2026-03-13 23:15:10 +08:00
Code Issues Packages Projects Releases Wiki Activity
2,013 Commits 51 Branches 94 Tags 15 MiB
ade5d857f7
Commit Graph

60 Commits

Author SHA1 Message Date
Copilot
6bec52dca1
Fix /open/user/init auth bypass allowing credential reset on initialized systems (#2941) 
* Initial plan

* fix: add /open/user/init paths to init guard to prevent auth bypass

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
Co-authored-by: whyour <imwhyour@gmail.com>
 2026-03-01 18:02:21 +08:00
rockymelody
ce599d306f
青龙面板鉴权绕过漏洞已修复 (#2935) 
已实施的安全加固措施
第一层防御:启用Express严格路由(第17-18行)
app.set('case sensitive routing', true);  // 路由大小写敏感
app.set('strict routing', true);           // 严格路由匹配
第二层防御:路径标准化检查中间件(第23-37行)
app.use((req, res, next) => {
  const originalPath = req.path;
  const normalizedPath = originalPath.toLowerCase();

  // 检测并拦截大小写混淆攻击
  if (originalPath !== normalizedPath &&
      (normalizedPath.startsWith('/api/') || normalizedPath.startsWith('/open/'))) {
    return res.status(400).json({
      code: 400,
      message: 'Invalid path format'
    });
  }

  next();
});
作用:主动检测并拒绝含有大小写变体的恶意请求
第三层防御:JWT中间件正则表达式修复(第59行)
// 修复前:
path: [...config.apiWhiteList, /^\/(?!api\/).*/],

// 修复后:添加大小写不敏感标志 'i'
path: [...config.apiWhiteList, /^(\/(?!api\/).*)$/i],
作用:防御正则匹配层面的绕过
第四层防御:自定义Token中间件路径标准化(第74-87行)
// 修复前:
if (!['/open/', '/api/'].some((x) => req.path.startsWith(x))) {

// 修复后:统一转小写比较
const pathLower = req.path.toLowerCase();
if (!['/open/', '/api/'].some((x) => pathLower.startsWith(x))) {
}
作用:确保Token验证逻辑对所有路径变体生效

第五层防御:初始化接口路径检查修复(第122-123行)
// 修复前:
if (!['/api/user/init', '/api/user/notification/init'].includes(req.path)) {

// 修复后:
const pathLower = req.path.toLowerCase();
if (!['/api/user/init', '/api/user/notification/init'].includes(pathLower)) {
 2026-03-01 17:44:03 +08:00
Copilot
dc0b3f2eb2
Fix QlBaseUrl: use URL rewrite for base path support (#2876) 
* Initial plan

* Add QlBaseUrl support to backend routes

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Fix whitelist check to use base-URL-aware paths

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Update websocket and frontend to support base URL

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Address code review feedback: fix JWT regex and path construction

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Fix path construction: use req.path directly for whitelist check

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Add clarifying comments and improve code readability

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Apply code review suggestions: improve clarity and simplify logic

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Simplify baseUrl implementation using URL rewrite

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
 2025-12-22 23:44:29 +08:00
Copilot
48abf44ceb
feat: Support multiple concurrent login sessions per platform (#2816) 
* Initial plan

* Implement multi-device login support - allow multiple concurrent sessions

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Address code review feedback - extract constants and utility functions

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Add validation and logging improvements based on code review

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Revert unnecessary file changes - keep only multi-device login feature files

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
 2025-11-19 00:18:29 +08:00
whyour
399728b433 修复 jwt 认证 2025-11-02 22:28:58 +08:00
whyour
18f27a9a69 移除 nginx 2025-11-02 19:29:59 +08:00
whyour
d871585eee 修改服务启动逻辑 2025-05-07 09:30:00 +08:00
whyour
af97543918 修改错误提示 2025-01-14 23:20:53 +08:00
whyour
f1ca2134b7 移除 nedb 和 sentry 2025-01-14 00:24:25 +08:00
whyour
678e3e2dc6 修改认证信息存储方式,避免认证信息异常 2024-12-30 14:23:04 +08:00
whyour
ab27a4c908 更新 node 依赖 2024-12-12 00:26:11 +08:00
whyour
af5de8372c 修复 shell 变量初始化检查,更新 sentry 版本 2024-08-18 14:19:45 +08:00
whyour
d2fef75e01 修改 trust proxy 2023-11-02 00:47:33 +08:00
whyour
085cb789b5 修复初始化设置通知,shell 映射,邮箱通知错误提示 2023-11-02 00:41:04 +08:00
whyour
20f615eadf fs 文件操作替换为 fs.promise 2023-11-01 16:44:34 +08:00
whyour
4618a19c04 修改本地监听 ip 2023-08-29 21:50:23 +08:00
whyour
e2bd15683e 修复 JSON.parse 错误,修复删除环境变量名称过长 2023-08-27 12:41:06 +08:00
whyour
4f7649f157 系统设置增加系统运行日志 2023-08-21 00:10:43 +08:00
whyour
9f4435b237 修改初始化逻辑 2023-06-16 02:12:25 +08:00
whyour
5b1accffb7 修改 api 限流策略,修复检查检查日志 2023-06-07 22:45:37 +08:00
whyour
998e82d323 增加 api 限流配置 2023-05-30 16:41:19 +08:00
whyour
490bdc15f6 支持非根目录部署 2023-05-19 01:10:33 +08:00
whyour
6ac755b478 修复后端 html 缓存 2023-05-15 22:34:06 +08:00
whyour
50718ba714 修复 public 服务转发 2023-05-10 01:07:46 +08:00
whyour
8b8bd279c6 修复 nginx 转发stream接口失效,停止运行命令支持 pid 参数 2023-05-04 21:28:14 +08:00
whyour
bd28682769 排除认证失败错误上报 2022-09-06 23:57:21 +08:00
whyour
dcd39ea6d8 移除内置token判断 2022-07-11 21:21:35 +08:00
whyour
99d881fc0d 修复系统token验证 2022-06-18 19:24:56 +08:00
whyour
57e7d756cb 修改系统内部获取token方式 2022-06-14 22:43:18 +08:00
whyour
c4a4764762 移除无用日志 2022-06-08 11:12:15 +08:00
whyour
7caabe9063 完善拉取私有仓库 2022-05-18 01:14:10 +08:00
whyour
fb6a80e306 支持更换头像 2022-05-09 15:31:41 +08:00
whyour
cf5f1b6f25 调整数据目录 2022-02-19 13:08:14 +08:00
whyour
3131f197b8 修复修改任务状态本地免认证 2022-01-25 22:52:27 +08:00
whyour
46aaeb4eac 增加系统openapi 2021-12-21 23:22:34 +08:00
whyour
02a1afb477 修复openapi路由 2021-11-04 18:07:34 +08:00
whyour
5c5aef64b0 添加白屏时间及错误上报 2021-11-04 15:05:34 +08:00
whyour
1da1659b51 支持服务端端口直接访问前端 2021-10-28 23:35:21 +08:00
hanhh
b1077443a3 添加系统更新操作和设置删除日志频率 2021-10-12 00:27:42 +08:00
hanhh
6819487a43 修改初始化判断条件 2021-10-03 22:01:44 +08:00
hanhh
14b20873c7 增加初始化过程 2021-10-03 20:58:55 +08:00
hanhh
2068ef7053 修复类型检查 2021-09-29 23:15:09 +08:00
hanhh
26d986d4a8 修复服务端ts类型检查 2021-09-24 22:49:14 +08:00
hanhh
f48b91dc0a 支持多端登录 2021-09-24 22:24:39 +08:00
whyour
9534cda1f9 更新通知服务 2021-09-16 21:01:29 +08:00
hanhh
86c3e9a843 添加两步验证 2021-08-30 23:37:26 +08:00
hanhh
1e58254f4c 添加openapi模块 2021-08-26 19:01:39 +08:00
hanhh
cad1d86caf 修复task_before出错任务中断 2021-07-12 23:18:40 +08:00
hanhh
517fdcc8ec 修复spawn可能中断,修复token过期任务状态修改 2021-07-07 18:26:56 +08:00
hanhh
4bc1deda42 修复req参数 2021-07-01 11:49:44 +08:00