mirror of
https://github.com/whyour/qinglong.git
synced 2026-06-28 02:45:08 +08:00
59a357f76f
Audit of the backend attack surface and fixes for the web-reachable CRITICAL/HIGH issues. Adds back/shared/security.ts with centralized hardening helpers (shellEscape, assertSafeDependenceName, SUBSCRIPTION_PATTERNS, safeCompare, isSafeSshConfigValue). - Subscription fields (url/branch/whitelist/blacklist/extensions/proxy) are now shell-escaped before reaching spawn() and validated with strict Joi patterns at the API, closing OS command injection and the downstream shell eval/git-arg-injection paths. - Dependency names are validated before interpolation into pnpm/pip/apk/apt commands (incl. the embedded Python source). - SSH config generation rejects newline/metachar injection in host/proxy (prevents injected ProxyCommand execution). - ConfigService.getFile resolves the real path before containment check, fixing data/scripts/../db traversal that leaked the SQLite DB. - /configs/save containment check fixed (sibling-dir write bypass). - Script/env uploads use path.basename, preventing arbitrary file write (crontab.list/env.sh overwrite -> RCE) via multer originalname. - JWT secret is generated and persisted per-install instead of the public default 'whyour-secret'; production refuses to boot without one. - Token comparison is now constant-time (safeCompare). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
49 lines
1.9 KiB
TypeScript
49 lines
1.9 KiB
TypeScript
import { Service, Inject } from 'typedi';
|
|
import path from 'path';
|
|
import config from '../config';
|
|
import { getFileContentByName } from '../config/util';
|
|
import { t } from '../shared/i18n';
|
|
import { Response } from 'express';
|
|
import { request } from 'undici';
|
|
|
|
@Service()
|
|
export default class ConfigService {
|
|
constructor() {}
|
|
|
|
public async getFile(filePath: string, res: Response) {
|
|
let content = '';
|
|
if (!filePath) {
|
|
return res.send({ code: 403, message: t('文件无法访问') });
|
|
}
|
|
const normalized = path.normalize(filePath);
|
|
if (normalized.startsWith('..') || path.isAbsolute(normalized)) {
|
|
return res.send({ code: 403, message: t('文件无法访问') });
|
|
}
|
|
|
|
// Remote sample files are fetched (and path-checked) separately.
|
|
if (filePath.startsWith('sample/')) {
|
|
const sampleRes = await request(
|
|
`https://gitlab.com/whyour/qinglong/-/raw/master/${normalized}`,
|
|
);
|
|
return res.send({ code: 200, data: await sampleRes.body.text() });
|
|
}
|
|
|
|
// Resolve the ACTUAL file path first, then validate that it stays within
|
|
// its allowed base. Validating a different path than the one read is what
|
|
// previously allowed `data/scripts/../db/database.sqlite` style traversal.
|
|
const isScripts = filePath.startsWith('data/scripts/');
|
|
const base = path.resolve(isScripts ? config.scriptPath : config.configPath);
|
|
const rel = isScripts ? filePath.slice('data/scripts/'.length) : filePath;
|
|
const finalPath = path.resolve(base, rel);
|
|
if (finalPath !== base && !finalPath.startsWith(base + path.sep)) {
|
|
return res.send({ code: 403, message: t('文件无法访问') });
|
|
}
|
|
if (config.blackFileList.includes(path.basename(finalPath))) {
|
|
return res.send({ code: 403, message: t('文件无法访问') });
|
|
}
|
|
|
|
content = await getFileContentByName(finalPath);
|
|
res.send({ code: 200, data: content });
|
|
}
|
|
}
|