mirror of
https://github.com/whyour/qinglong.git
synced 2026-06-28 02:45:08 +08:00
59a357f76f
Audit of the backend attack surface and fixes for the web-reachable CRITICAL/HIGH issues. Adds back/shared/security.ts with centralized hardening helpers (shellEscape, assertSafeDependenceName, SUBSCRIPTION_PATTERNS, safeCompare, isSafeSshConfigValue). - Subscription fields (url/branch/whitelist/blacklist/extensions/proxy) are now shell-escaped before reaching spawn() and validated with strict Joi patterns at the API, closing OS command injection and the downstream shell eval/git-arg-injection paths. - Dependency names are validated before interpolation into pnpm/pip/apk/apt commands (incl. the embedded Python source). - SSH config generation rejects newline/metachar injection in host/proxy (prevents injected ProxyCommand execution). - ConfigService.getFile resolves the real path before containment check, fixing data/scripts/../db traversal that leaked the SQLite DB. - /configs/save containment check fixed (sibling-dir write bypass). - Script/env uploads use path.basename, preventing arbitrary file write (crontab.list/env.sh overwrite -> RCE) via multer originalname. - JWT secret is generated and persisted per-install instead of the public default 'whyour-secret'; production refuses to boot without one. - Token comparison is now constant-time (safeCompare). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
319 lines
8.9 KiB
TypeScript
319 lines
8.9 KiB
TypeScript
import { Joi, celebrate } from 'celebrate';
|
|
import { NextFunction, Request, Response, Router } from 'express';
|
|
import fs from 'fs';
|
|
import path from 'path';
|
|
import multer from 'multer';
|
|
import { Container } from 'typedi';
|
|
import { Logger } from 'winston';
|
|
import config from '../config';
|
|
import { safeJSONParse } from '../config/util';
|
|
import { t } from '../shared/i18n';
|
|
import EnvService from '../services/env';
|
|
const route = Router();
|
|
|
|
const storage = multer.diskStorage({
|
|
destination: function (req, file, cb) {
|
|
cb(null, config.scriptPath);
|
|
},
|
|
filename: function (req, file, cb) {
|
|
// Never trust the client-supplied name: strip any directory components so
|
|
// the upload cannot be written outside config.scriptPath (path traversal).
|
|
const safeName = path.basename(file.originalname || '');
|
|
if (!safeName || safeName === '.' || safeName === '..') {
|
|
return cb(new Error('Invalid filename'), '');
|
|
}
|
|
cb(null, safeName);
|
|
},
|
|
});
|
|
const upload = multer({ storage: storage });
|
|
const labelSchema = Joi.array()
|
|
.items(Joi.string().trim().required())
|
|
.min(1)
|
|
.required();
|
|
|
|
export default (app: Router) => {
|
|
app.use('/envs', route);
|
|
|
|
route.get('/', async (req: Request, res: Response, next: NextFunction) => {
|
|
const logger: Logger = Container.get('logger');
|
|
try {
|
|
const envService = Container.get(EnvService);
|
|
const data = await envService.envs(req.query.searchValue as string);
|
|
return res.send({ code: 200, data });
|
|
} catch (e) {
|
|
logger.error('🔥 error: %o', e);
|
|
return next(e);
|
|
}
|
|
});
|
|
|
|
route.post(
|
|
'/',
|
|
celebrate({
|
|
body: Joi.array().items(
|
|
Joi.object({
|
|
value: Joi.string().required(),
|
|
name: Joi.string()
|
|
.required()
|
|
.pattern(/^[a-zA-Z_][0-9a-zA-Z_]*$/),
|
|
remarks: Joi.string().optional().allow(''),
|
|
labels: Joi.array().items(Joi.string().trim()).optional(),
|
|
}),
|
|
),
|
|
}),
|
|
async (req: Request, res: Response, next: NextFunction) => {
|
|
const logger: Logger = Container.get('logger');
|
|
try {
|
|
const envService = Container.get(EnvService);
|
|
if (!req.body?.length) {
|
|
return res.send({ code: 400, message: t('参数不正确') });
|
|
}
|
|
const data = await envService.create(req.body);
|
|
return res.send({ code: 200, data });
|
|
} catch (e) {
|
|
return next(e);
|
|
}
|
|
},
|
|
);
|
|
|
|
route.put(
|
|
'/',
|
|
celebrate({
|
|
body: Joi.object({
|
|
value: Joi.string().required(),
|
|
name: Joi.string().required(),
|
|
remarks: Joi.string().optional().allow('').allow(null),
|
|
id: Joi.number().required(),
|
|
labels: Joi.array().items(Joi.string().trim()).optional(),
|
|
}),
|
|
}),
|
|
async (req: Request, res: Response, next: NextFunction) => {
|
|
const logger: Logger = Container.get('logger');
|
|
try {
|
|
const envService = Container.get(EnvService);
|
|
const data = await envService.update(req.body);
|
|
return res.send({ code: 200, data });
|
|
} catch (e) {
|
|
return next(e);
|
|
}
|
|
},
|
|
);
|
|
|
|
route.delete(
|
|
'/',
|
|
celebrate({
|
|
body: Joi.array().items(Joi.number().required()),
|
|
}),
|
|
async (req: Request, res: Response, next: NextFunction) => {
|
|
const logger: Logger = Container.get('logger');
|
|
try {
|
|
const envService = Container.get(EnvService);
|
|
const data = await envService.remove(req.body);
|
|
return res.send({ code: 200, data });
|
|
} catch (e) {
|
|
return next(e);
|
|
}
|
|
},
|
|
);
|
|
|
|
route.put(
|
|
'/:id/move',
|
|
celebrate({
|
|
params: Joi.object({
|
|
id: Joi.number().required(),
|
|
}),
|
|
body: Joi.object({
|
|
fromIndex: Joi.number().required(),
|
|
toIndex: Joi.number().required(),
|
|
}),
|
|
}),
|
|
async (req: Request<{ id: number }>, res: Response, next: NextFunction) => {
|
|
try {
|
|
const envService = Container.get(EnvService);
|
|
const data = await envService.move(req.params.id, req.body);
|
|
return res.send({ code: 200, data });
|
|
} catch (e) {
|
|
return next(e);
|
|
}
|
|
},
|
|
);
|
|
|
|
route.put(
|
|
'/disable',
|
|
celebrate({
|
|
body: Joi.array().items(Joi.number().required()),
|
|
}),
|
|
async (req: Request, res: Response, next: NextFunction) => {
|
|
const logger: Logger = Container.get('logger');
|
|
try {
|
|
const envService = Container.get(EnvService);
|
|
const data = await envService.disabled(req.body);
|
|
return res.send({ code: 200, data });
|
|
} catch (e) {
|
|
return next(e);
|
|
}
|
|
},
|
|
);
|
|
|
|
route.put(
|
|
'/enable',
|
|
celebrate({
|
|
body: Joi.array().items(Joi.number().required()),
|
|
}),
|
|
async (req: Request, res: Response, next: NextFunction) => {
|
|
const logger: Logger = Container.get('logger');
|
|
try {
|
|
const envService = Container.get(EnvService);
|
|
const data = await envService.enabled(req.body);
|
|
return res.send({ code: 200, data });
|
|
} catch (e) {
|
|
return next(e);
|
|
}
|
|
},
|
|
);
|
|
|
|
route.put(
|
|
'/name',
|
|
celebrate({
|
|
body: Joi.object({
|
|
ids: Joi.array().items(Joi.number().required()),
|
|
name: Joi.string().required(),
|
|
}),
|
|
}),
|
|
async (req: Request, res: Response, next: NextFunction) => {
|
|
const logger: Logger = Container.get('logger');
|
|
try {
|
|
const envService = Container.get(EnvService);
|
|
const data = await envService.updateNames(req.body);
|
|
return res.send({ code: 200, data });
|
|
} catch (e) {
|
|
return next(e);
|
|
}
|
|
},
|
|
);
|
|
|
|
route.get(
|
|
'/:id',
|
|
celebrate({
|
|
params: Joi.object({
|
|
id: Joi.number().required(),
|
|
}),
|
|
}),
|
|
async (req: Request<{ id: number }>, res: Response, next: NextFunction) => {
|
|
const logger: Logger = Container.get('logger');
|
|
try {
|
|
const envService = Container.get(EnvService);
|
|
const data = await envService.getDb({ id: req.params.id });
|
|
return res.send({ code: 200, data });
|
|
} catch (e) {
|
|
return next(e);
|
|
}
|
|
},
|
|
);
|
|
|
|
route.put(
|
|
'/pin',
|
|
celebrate({
|
|
body: Joi.array().items(Joi.number().required()),
|
|
}),
|
|
async (req: Request, res: Response, next: NextFunction) => {
|
|
const logger: Logger = Container.get('logger');
|
|
try {
|
|
const envService = Container.get(EnvService);
|
|
const data = await envService.pin(req.body);
|
|
return res.send({ code: 200, data });
|
|
} catch (e) {
|
|
return next(e);
|
|
}
|
|
},
|
|
);
|
|
|
|
route.put(
|
|
'/unpin',
|
|
celebrate({
|
|
body: Joi.array().items(Joi.number().required()),
|
|
}),
|
|
async (req: Request, res: Response, next: NextFunction) => {
|
|
const logger: Logger = Container.get('logger');
|
|
try {
|
|
const envService = Container.get(EnvService);
|
|
const data = await envService.unPin(req.body);
|
|
return res.send({ code: 200, data });
|
|
} catch (e) {
|
|
return next(e);
|
|
}
|
|
},
|
|
);
|
|
|
|
route.post(
|
|
'/labels',
|
|
celebrate({
|
|
body: Joi.object({
|
|
ids: Joi.array().items(Joi.number().required()).min(1).required(),
|
|
labels: labelSchema,
|
|
}),
|
|
}),
|
|
async (req: Request, res: Response, next: NextFunction) => {
|
|
try {
|
|
const envService = Container.get(EnvService);
|
|
const data = await envService.addLabels(req.body.ids, req.body.labels);
|
|
return res.send({ code: 200, data });
|
|
} catch (e) {
|
|
return next(e);
|
|
}
|
|
},
|
|
);
|
|
|
|
route.delete(
|
|
'/labels',
|
|
celebrate({
|
|
body: Joi.object({
|
|
ids: Joi.array().items(Joi.number().required()).min(1).required(),
|
|
labels: labelSchema,
|
|
}),
|
|
}),
|
|
async (req: Request, res: Response, next: NextFunction) => {
|
|
try {
|
|
const envService = Container.get(EnvService);
|
|
const data = await envService.removeLabels(req.body.ids, req.body.labels);
|
|
return res.send({ code: 200, data });
|
|
} catch (e) {
|
|
return next(e);
|
|
}
|
|
},
|
|
);
|
|
|
|
route.post(
|
|
'/upload',
|
|
upload.single('env'),
|
|
async (req: Request, res: Response, next: NextFunction) => {
|
|
const logger: Logger = Container.get('logger');
|
|
try {
|
|
const envService = Container.get(EnvService);
|
|
const fileContent = await fs.promises.readFile(req!.file!.path, 'utf8');
|
|
const parseContent = safeJSONParse(fileContent);
|
|
const data = Array.isArray(parseContent)
|
|
? parseContent
|
|
: [parseContent];
|
|
if (data.every((x) => x.name && x.value)) {
|
|
const result = await envService.create(
|
|
data.map((x) => ({
|
|
name: x.name,
|
|
value: x.value,
|
|
remarks: x.remarks,
|
|
labels: x.labels,
|
|
})),
|
|
);
|
|
return res.send({ code: 200, data: result });
|
|
} else {
|
|
return res.send({
|
|
code: 400,
|
|
message: t('每条数据 name 或者 value 字段不能为空,参考导出文件格式'),
|
|
});
|
|
}
|
|
} catch (e) {
|
|
return next(e);
|
|
}
|
|
},
|
|
);
|
|
};
|