mirror of
https://github.com/whyour/qinglong.git
synced 2026-06-28 02:45:08 +08:00
59a357f76f
Audit of the backend attack surface and fixes for the web-reachable CRITICAL/HIGH issues. Adds back/shared/security.ts with centralized hardening helpers (shellEscape, assertSafeDependenceName, SUBSCRIPTION_PATTERNS, safeCompare, isSafeSshConfigValue). - Subscription fields (url/branch/whitelist/blacklist/extensions/proxy) are now shell-escaped before reaching spawn() and validated with strict Joi patterns at the API, closing OS command injection and the downstream shell eval/git-arg-injection paths. - Dependency names are validated before interpolation into pnpm/pip/apk/apt commands (incl. the embedded Python source). - SSH config generation rejects newline/metachar injection in host/proxy (prevents injected ProxyCommand execution). - ConfigService.getFile resolves the real path before containment check, fixing data/scripts/../db traversal that leaked the SQLite DB. - /configs/save containment check fixed (sibling-dir write bypass). - Script/env uploads use path.basename, preventing arbitrary file write (crontab.list/env.sh overwrite -> RCE) via multer originalname. - JWT secret is generated and persisted per-install instead of the public default 'whyour-secret'; production refuses to boot without one. - Token comparison is now constant-time (safeCompare). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
54 lines
1.7 KiB
TypeScript
54 lines
1.7 KiB
TypeScript
import { Subscription } from '../data/subscription';
|
|
import isNil from 'lodash/isNil';
|
|
import { shellEscape } from '../shared/security';
|
|
|
|
export function formatUrl(doc: Subscription) {
|
|
let url = doc.url;
|
|
let host = '';
|
|
if (doc.type === 'private-repo') {
|
|
if (doc.pull_type === 'ssh-key') {
|
|
host = doc.url!.replace(/.*\@([^\:]+)\:.*/, '$1');
|
|
url = doc.url!.replace(host, doc.alias);
|
|
} else {
|
|
host = doc.url!.replace(/.*\:\/\/([^\/]+)\/.*/, '$1');
|
|
const { username, password } = doc.pull_option as any;
|
|
url = doc.url!.replace(host, `${username}:${password}@${host}`);
|
|
}
|
|
}
|
|
return { url, host };
|
|
}
|
|
|
|
export function formatCommand(doc: Subscription, url?: string) {
|
|
let command = `SUB_ID=${doc.id} ql `;
|
|
let _url = url || formatUrl(doc).url;
|
|
const {
|
|
type,
|
|
whitelist,
|
|
blacklist,
|
|
dependences,
|
|
branch,
|
|
extensions,
|
|
proxy,
|
|
autoAddCron,
|
|
autoDelCron,
|
|
} = doc;
|
|
const addCron = isNil(autoAddCron) ? true : Boolean(autoAddCron);
|
|
const delCron = isNil(autoDelCron) ? true : Boolean(autoDelCron);
|
|
// Every user-controlled value is single-quote escaped so it can never break
|
|
// out of the shell command passed to spawn(command, { shell: '/bin/bash' }).
|
|
if (type === 'file') {
|
|
command += `raw ${shellEscape(_url)} ${shellEscape(
|
|
proxy || '',
|
|
)} "${addCron}" "${delCron}"`;
|
|
} else {
|
|
command += `repo ${shellEscape(_url)} ${shellEscape(
|
|
whitelist || '',
|
|
)} ${shellEscape(blacklist || '')} ${shellEscape(
|
|
dependences || '',
|
|
)} ${shellEscape(branch || '')} ${shellEscape(extensions || '')} ${shellEscape(
|
|
proxy || '',
|
|
)} "${addCron}" "${delCron}"`;
|
|
}
|
|
return command;
|
|
}
|