mirror of
https://github.com/whyour/qinglong.git
synced 2026-06-28 02:45:08 +08:00
59a357f76f
Audit of the backend attack surface and fixes for the web-reachable CRITICAL/HIGH issues. Adds back/shared/security.ts with centralized hardening helpers (shellEscape, assertSafeDependenceName, SUBSCRIPTION_PATTERNS, safeCompare, isSafeSshConfigValue). - Subscription fields (url/branch/whitelist/blacklist/extensions/proxy) are now shell-escaped before reaching spawn() and validated with strict Joi patterns at the API, closing OS command injection and the downstream shell eval/git-arg-injection paths. - Dependency names are validated before interpolation into pnpm/pip/apk/apt commands (incl. the embedded Python source). - SSH config generation rejects newline/metachar injection in host/proxy (prevents injected ProxyCommand execution). - ConfigService.getFile resolves the real path before containment check, fixing data/scripts/../db traversal that leaked the SQLite DB. - /configs/save containment check fixed (sibling-dir write bypass). - Script/env uploads use path.basename, preventing arbitrary file write (crontab.list/env.sh overwrite -> RCE) via multer originalname. - JWT secret is generated and persisted per-install instead of the public default 'whyour-secret'; production refuses to boot without one. - Token comparison is now constant-time (safeCompare). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| config.ts | ||
| cron.ts | ||
| cronView.ts | ||
| dependence.ts | ||
| env.ts | ||
| grpc.ts | ||
| health.ts | ||
| http.ts | ||
| log.ts | ||
| metrics.ts | ||
| notify.ts | ||
| open.ts | ||
| schedule.ts | ||
| script.ts | ||
| sock.ts | ||
| sshKey.ts | ||
| subscription.ts | ||
| system.ts | ||
| user.ts | ||