qinglong/SECURITY_ENHANCEMENTS.md

Security Enhancements

Overview

This document describes the security enhancements implemented to prevent malicious code injection attacks in Qinglong.

Issue Background

A security vulnerability was discovered where malicious code could be injected into the system through:

1. Cron task fields (task_before, task_after, command)
2. Configuration file writes (config.sh, extra.sh, etc.)

The reported incident involved a malicious script that:

• Downloaded an external binary (.fullgc) from a suspicious domain
• Executed the binary in the background
• Persisted by continuously re-injecting itself

Security Fixes Implemented

1. Input Validation for Cron Tasks

File: /back/validation/schedule.ts

Added comprehensive validation to detect and block dangerous shell patterns:

• Command Substitution: Blocks $(...) and backtick patterns that could execute hidden commands
• File Downloads: Blocks curl, wget, fetch commands
• External URLs: Blocks HTTP/HTTPS URLs to prevent external resource downloads
• Hidden Files: Blocks references to files starting with . (common in malware)
• Background Execution: Blocks suspicious nohup patterns
• Output Hiding: Blocks redirects to /dev/null combined with background execution
• Obfuscation: Blocks base64, decode, eval patterns
• Temp Directory Execution: Blocks execution from /tmp or hidden directories

2. Config File Content Security

File: /back/api/config.ts

Enhanced validation for configuration file content to prevent:

• Downloads followed by execution (curl | bash, wget | bash)
• Download and permission changes (curl && chmod +x)
• Suspicious executable downloads (files like .fullgc)
• Background execution of hidden files

3. Improved Shell Escaping

File: /back/services/cron.ts

Replaced weak shell escaping with a robust escapeShellArg() function that:

• Properly escapes single quotes using '\\'' pattern
• Normalizes whitespace and newlines
• Prevents command injection through various shell metacharacters

Security Best Practices

For Administrators

1. Review Existing Tasks: Audit all existing cron tasks for suspicious patterns
2. Monitor Logs: Check logs for security validation warnings
3. Update Dependencies: Keep all npm/pip dependencies up to date
4. Limit Access: Restrict who can create/modify cron tasks and config files
5. Regular Backups: Maintain backups of configuration files

For Users

1. Trusted Sources Only: Only add scripts from trusted repositories
2. Code Review: Review any script before adding it to your cron tasks
3. Avoid External URLs: Don't include download commands in task hooks
4. Report Suspicious Activity: Report any unusual system behavior immediately

Validation Error Messages

When the security system blocks a pattern, you'll see error messages like:

• 命令包含潜在危险的模式，已被安全系统拦截 - Command contains dangerous pattern
• 前置命令包含潜在危险的模式，已被安全系统拦截 - task_before contains dangerous pattern
• 后置命令包含潜在危险的模式，已被安全系统拦截 - task_after contains dangerous pattern
• 配置文件内容包含潜在危险的模式，已被安全系统拦截 - Config file contains dangerous pattern

What to Do If You're Affected

If you've been affected by the malicious code injection:

1. Immediate Actions

# Stop and remove the malicious process
pkill -f ".fullgc"
rm -f /ql/data/db/.fullgc

# Check for the malicious code in configuration files
grep -r "fullgc" /ql/data/config/
grep -r "551911.xyz" /ql/data/config/

2. Clean Configuration Files

# Backup current configs
cp -r /ql/data/config /ql/data/config.backup

# Review and clean these files:
# - /ql/data/config/config.sh
# - /ql/data/config/extra.sh
# - /ql/data/config/task_before.sh
# - /ql/data/config/task_after.sh

# Remove any lines containing:
# - Downloads (curl, wget)
# - External URLs
# - .fullgc references

3. Review Cron Tasks

1. Log into Qinglong admin panel
2. Check all cron tasks for suspicious content in:
   • Command field
   • task_before field
   • task_after field
3. Delete or clean any suspicious tasks

4. Update to Patched Version

Ensure you're running a version of Qinglong with these security fixes.

5. Change Credentials

If you suspect compromise:

• Change your Qinglong admin password
• Review and rotate any API tokens
• Check for unauthorized access in logs

Detection

Log Analysis

Security events are logged to help detect attempted attacks:

# Check for security validation failures in logs
grep "安全系统拦截" /ql/data/log/*.log

# Check for suspicious file modifications
grep "配置文件写入" /ql/data/log/*.log

File Integrity

Regularly check for unexpected files:

# Find hidden executables in data directory
find /ql/data -type f -name ".*" -executable

# Check for recently modified config files
find /ql/data/config -type f -mtime -1

Limitations

These security measures provide defense-in-depth but are not foolproof:

• Legitimate use cases requiring downloads must use alternative methods
• Very sophisticated attacks may find bypasses
• Users with admin access can still compromise the system
• Compromised dependencies can still execute malicious code

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

1. Do NOT create public GitHub issues for security vulnerabilities
2. Contact the maintainers privately
3. Provide detailed information about the vulnerability
4. Allow time for a patch before public disclosure

References

• OWASP Command Injection
• Shell Command Injection Prevention