open-source/qinglong
1
0
Fork 0
mirror of https://github.com/whyour/qinglong.git synced 2026-03-13 15:05:10 +08:00
Code Issues Packages Projects Releases Wiki Activity
2,048 Commits 50 Branches 94 Tags 15 MiB
d0d8a5b2c0
Commit Graph

2048 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
whyour
d0d8a5b2c0 更新 npm 版本 v2.17.12 2026-03-01 18:05:15 +08:00
whyour
356c29b0c7 修改 debian 版本为 12 bookworm 2026-03-01 18:05:15 +08:00
whyour
5c4e434aa7 更新 npm 版本 v2.17.11 2026-03-01 18:05:15 +08:00
whyour
1dcf9dae2f 更新 npm 版本 v2.17.10 2026-03-01 18:05:15 +08:00
whyour
fca7c46e6a 更新 npm 版本 v2.17.9 2026-03-01 18:05:15 +08:00
whyour
d1a4e92d0f 修复 qinglong 命令 2026-03-01 18:05:15 +08:00
whyour
bf6a4de5c6 更新 npm 版本 v2.17.8 2026-03-01 18:05:15 +08:00
whyour
5f41904f53 npm 启动增加 reload 逻辑 2026-03-01 18:05:15 +08:00
whyour
1ff1dcf4c2 修改 ts 文件执行依赖 2026-03-01 18:05:15 +08:00
whyour
fc5977de1f 更新 npm 版本 v0.21.2 2026-03-01 18:05:15 +08:00
whyour
f79820e5f0 修改 apt 命令 2026-03-01 18:05:15 +08:00
whyour
29896b8c94 安装 linux 依赖自动识别 alpine 和 debian 2026-03-01 18:05:15 +08:00
whyour
d6be908a2c 更新 npm 版本 v0.20.4 2026-03-01 18:05:15 +08:00
whyour
6c88523d91 修复 debian netcat 包名 2026-03-01 18:05:14 +08:00
whyour
45b42a415f 更新 npm 版本 v0.19.9 2026-03-01 18:05:14 +08:00
whyour
cfe1bdff07 修改 npm 安装启动命令 2026-03-01 18:05:14 +08:00
whyour
34b11aaa65 更新 npm 版本 v0.18.0 2026-03-01 18:05:14 +08:00
whyour
167b83ecc6 更新 npm 版本 v0.17.0 2026-03-01 18:05:14 +08:00
whyour
578fa874d3 修复 linux 镜像源 2026-03-01 18:05:14 +08:00
whyour
4e1401eb27 更新 npm 版本 v0.16.0 2026-03-01 18:05:14 +08:00
whyour
043934b9fc 更新 workflow action 版本 2026-03-01 18:05:14 +08:00
whyour
ec06db53e1 增加 npx 命令 2026-03-01 18:05:14 +08:00
whyour
9f8c6fe811 更新 npm 版本 v0.14.5 2026-03-01 18:05:14 +08:00
whyour
de78d9840a 修复 workflow 2026-03-01 18:05:14 +08:00
whyour
67244bde92 移除 qinglong 命令 npm 默认镜像源 2026-03-01 18:05:14 +08:00
whyour
525e6ff2aa 修复 qinglong 命令 2026-03-01 18:05:14 +08:00
whyour
99993a3b2b 修改切换 linux 镜像源 2026-03-01 18:05:14 +08:00
whyour
6d87206ec9 增加 debian 开发版本 2026-03-01 18:05:14 +08:00
whyour
4d3fa6b0d4 更新 npm 版本 v0.13.2 2026-03-01 18:05:14 +08:00
whyour
9372d2030f 修复 qinglong 命令 2026-03-01 18:05:14 +08:00
whyour
8892a4a816 修复 shell check_server 2026-03-01 18:05:14 +08:00
whyour
2bf5c2c3c9 修复拉取私有仓库 2026-03-01 18:05:14 +08:00
dream10201
e8a35dd5ee 修复linux依赖检测 (#2082) 2026-03-01 18:05:14 +08:00
whyour
51a4408c19 更新 npm v0.8.4 2026-03-01 18:05:14 +08:00
whyour
360a35d70d 更新 npm 版本 0.7.7 2026-03-01 18:05:14 +08:00
whyour
28a95d1e1c 修复 debian apt 命令,支持 qinglong 命令 2026-03-01 18:05:14 +08:00
whyour
609d554cd4 增加 debian-slim 基础镜像 2026-03-01 18:05:14 +08:00
whyour
e9804c51f8 修改获取示例文件 api path 2026-03-01 18:05:14 +08:00
Copilot
6bec52dca1
Fix /open/user/init auth bypass allowing credential reset on initialized systems (#2941) 
* Initial plan

* fix: add /open/user/init paths to init guard to prevent auth bypass

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
Co-authored-by: whyour <imwhyour@gmail.com>
 2026-03-01 18:02:21 +08:00
rockymelody
ce599d306f
青龙面板鉴权绕过漏洞已修复 (#2935) 
已实施的安全加固措施
第一层防御:启用Express严格路由(第17-18行)
app.set('case sensitive routing', true);  // 路由大小写敏感
app.set('strict routing', true);           // 严格路由匹配
第二层防御:路径标准化检查中间件(第23-37行)
app.use((req, res, next) => {
  const originalPath = req.path;
  const normalizedPath = originalPath.toLowerCase();

  // 检测并拦截大小写混淆攻击
  if (originalPath !== normalizedPath &&
      (normalizedPath.startsWith('/api/') || normalizedPath.startsWith('/open/'))) {
    return res.status(400).json({
      code: 400,
      message: 'Invalid path format'
    });
  }

  next();
});
作用:主动检测并拒绝含有大小写变体的恶意请求
第三层防御:JWT中间件正则表达式修复(第59行)
// 修复前:
path: [...config.apiWhiteList, /^\/(?!api\/).*/],

// 修复后:添加大小写不敏感标志 'i'
path: [...config.apiWhiteList, /^(\/(?!api\/).*)$/i],
作用:防御正则匹配层面的绕过
第四层防御:自定义Token中间件路径标准化(第74-87行)
// 修复前:
if (!['/open/', '/api/'].some((x) => req.path.startsWith(x))) {

// 修复后:统一转小写比较
const pathLower = req.path.toLowerCase();
if (!['/open/', '/api/'].some((x) => pathLower.startsWith(x))) {
}
作用:确保Token验证逻辑对所有路径变体生效

第五层防御:初始化接口路径检查修复(第122-123行)
// 修复前:
if (!['/api/user/init', '/api/user/notification/init'].includes(req.path)) {

// 修复后:
const pathLower = req.path.toLowerCase();
if (!['/api/user/init', '/api/user/notification/init'].includes(pathLower)) {
 2026-03-01 17:44:03 +08:00
whyour
d53437d169 更新 2.20.1 2025-12-26 21:17:30 +08:00
whyour
d526602d19 修复运行中任务停止操作 2025-12-26 01:07:08 +08:00
whyour
91b44914f6 修复环境变量排序 2025-12-26 00:41:32 +08:00
whyour
4f6c93cc1c 更新 workflow 2025-12-24 01:03:21 +08:00
whyour
e326d89571 修复 apiWhiteList 路径 2025-12-23 00:58:09 +08:00
whyour
5f0dafa010 修复 cron-parser import,websocket basepath 2025-12-23 00:28:16 +08:00
Copilot
dc0b3f2eb2
Fix QlBaseUrl: use URL rewrite for base path support (#2876) 
* Initial plan

* Add QlBaseUrl support to backend routes

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Fix whitelist check to use base-URL-aware paths

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Update websocket and frontend to support base URL

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Address code review feedback: fix JWT regex and path construction

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Fix path construction: use req.path directly for whitelist check

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Add clarifying comments and improve code readability

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Apply code review suggestions: improve clarity and simplify logic

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Simplify baseUrl implementation using URL rewrite

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
 2025-12-22 23:44:29 +08:00
Copilot
3db716763d
Fix cron-parser v5 bundling incompatibility causing validation failures (#2877) 
* Initial plan

* Fix: Use default import for cron-parser to ensure browser compatibility

Changed from named export `{ CronExpressionParser }` to default export `cronParser` and access `CronExpressionParser` through it. This ensures compatibility with webpack/UmiJS bundling for browser environments while maintaining backend functionality.

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
 2025-12-22 23:43:54 +08:00
Copilot
fae226745e
Add missing larkSecret field to gRPC NotificationInfo proto (#2880) 
* Initial plan

* Add larkSecret field to NotificationInfo proto definition

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
 2025-12-22 23:38:42 +08:00
Copilot
9330650163
Fix TG_PROXY_AUTH concatenation in notify.js - add missing @ separator (#2882) 
* Initial plan

* Fix TG_PROXY_AUTH handling in notify.js to match notify.py logic

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

* Apply prettier formatting to notify.js

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
 2025-12-22 23:05:06 +08:00