open-source/qinglong
1
0
Fork 0
mirror of https://github.com/whyour/qinglong.git synced 2026-03-13 15:05:10 +08:00
Code Issues Packages Projects Releases Wiki Activity
ce599d306f
qinglong/back
History
rockymelody ce599d306f
青龙面板鉴权绕过漏洞已修复 (#2935) 
已实施的安全加固措施
第一层防御:启用Express严格路由(第17-18行)
app.set('case sensitive routing', true);  // 路由大小写敏感
app.set('strict routing', true);           // 严格路由匹配
第二层防御:路径标准化检查中间件(第23-37行)
app.use((req, res, next) => {
  const originalPath = req.path;
  const normalizedPath = originalPath.toLowerCase();

  // 检测并拦截大小写混淆攻击
  if (originalPath !== normalizedPath &&
      (normalizedPath.startsWith('/api/') || normalizedPath.startsWith('/open/'))) {
    return res.status(400).json({
      code: 400,
      message: 'Invalid path format'
    });
  }

  next();
});
作用:主动检测并拒绝含有大小写变体的恶意请求
第三层防御:JWT中间件正则表达式修复(第59行)
// 修复前:
path: [...config.apiWhiteList, /^\/(?!api\/).*/],

// 修复后:添加大小写不敏感标志 'i'
path: [...config.apiWhiteList, /^(\/(?!api\/).*)$/i],
作用:防御正则匹配层面的绕过
第四层防御:自定义Token中间件路径标准化(第74-87行)
// 修复前:
if (!['/open/', '/api/'].some((x) => req.path.startsWith(x))) {

// 修复后:统一转小写比较
const pathLower = req.path.toLowerCase();
if (!['/open/', '/api/'].some((x) => pathLower.startsWith(x))) {
}
作用:确保Token验证逻辑对所有路径变体生效

第五层防御:初始化接口路径检查修复(第122-123行)
// 修复前:
if (!['/api/user/init', '/api/user/notification/init'].includes(req.path)) {

// 修复后:
const pathLower = req.path.toLowerCase();
if (!['/api/user/init', '/api/user/notification/init'].includes(pathLower)) {
2026-03-01 17:44:03 +08:00
..
api 修复 cron-parser import,websocket basepath 2025-12-23 00:28:16 +08:00
config Fix QlBaseUrl: use URL rewrite for base path support (#2876) 2025-12-22 23:44:29 +08:00
data Add signature verification support for Feishu bot notifications (#2856) 2025-11-27 01:10:04 +08:00
interface 修改定时规则类型 2025-02-21 01:35:08 +08:00
loaders 青龙面板鉴权绕过漏洞已修复 (#2935) 2026-03-01 17:44:03 +08:00
middlewares 修改服务启动逻辑 2025-05-07 09:30:00 +08:00
protos Add missing larkSecret field to gRPC NotificationInfo proto (#2880) 2025-12-22 23:38:42 +08:00
schedule Add cron task management to QLAPI (#2826) 2025-11-14 23:20:56 +08:00
services 修复运行中任务停止操作 2025-12-26 01:07:08 +08:00
shared 修复任务实例默认值 2025-11-23 12:45:02 +08:00
types 修改服务启动逻辑 2025-05-07 09:30:00 +08:00
validation 修复 cron-parser import,websocket basepath 2025-12-23 00:28:16 +08:00
app.ts 更新启动日志 2025-11-16 21:31:52 +08:00
token.ts 修改服务启动逻辑 2025-05-07 09:30:00 +08:00
tsconfig.json 修改服务启动逻辑 2025-05-07 09:30:00 +08:00