Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-05-18 20:15:48 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
3x-ui/web/service/url_safety.go

83 lines
2 KiB
Go
Raw Normal View History

Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275) * refactor(session): store user ID in session instead of full struct Replaces storing the full User object in the session cookie with just the user ID. GetLoginUser now re-fetches the user from the database on every request so credential/permission changes take effect immediately without requiring a re-login. Includes a backward-compatible migration path for existing sessions that still carry the old struct payload. * feat(auth): block panel with default admin/admin credentials and guide credential change checkLogin middleware now detects default admin/admin credentials and redirects every panel route to /panel/settings until they are changed. The settings page auto-opens the Authentication tab, shows a non-dismissible error banner, and lists 'Default credentials' first in the security checklist. Login response includes mustChangeCredentials so the login page can redirect directly. Logout is now POST-only. Password must be at least 10 characters and cannot be admin/admin. * feat(settings): redact secrets in AllSettingView and add TrustedProxyCIDRs Introduces AllSettingView which strips tgBotToken, twoFactorToken, ldapPassword, apiToken and warp/nord secrets before sending them to the browser, replacing them with boolean hasFoo presence flags. A new /panel/setting/secret endpoint allows updating individual secrets by key. Secrets that arrive blank on a save are preserved from the DB rather than overwritten. Adds TrustedProxyCIDRs as a configurable setting (defaults to localhost CIDRs). URL fields are validated before save. * fix(security): SSRF prevention, trusted-proxy header gating, CSP nonce, HTTP timeouts Adds SanitizeHTTPURL / SanitizePublicHTTPURL to reject private-range and loopback targets before any outbound HTTP request (node probe, xray download, outbound test, external traffic inform, tgbot API server, panel updater). Forwarded headers (X-Real-IP, X-Forwarded-For, X-Forwarded-Host) are now only trusted when the direct connection arrives from a CIDR in TrustedProxyCIDRs. CSP policy is tightened with a per-request nonce. HTTP server gains read/write/idle timeouts. Panel updater downloads the script to a temp file instead of piping curl into shell. Xray archive download adds a size cap and response-code check. backuptotgbot is changed from GET to POST. * feat(nodes): add allow-private-address toggle per node Adds AllowPrivateAddress to the Node model (DB default false). When enabled it bypasses the SSRF private-range check for that node's probe URL, allowing nodes hosted on RFC-1918 or loopback addresses (e.g. a private VPN or LAN setup). * chore: frontend UX improvements, CI pipeline, and dev tooling - AppSidebar: logout via POST /logout instead of navigating to GET - InboundList: persist filter state (search, protocol, node) to localStorage across page reloads; add protocol and node filter dropdowns - IndexPage: add health status strip (Xray, CPU, Memory, Update) with quick-action buttons - dependabot: weekly go mod and npm update schedule - ci.yml: add GitHub Actions workflow for build and vet - .nvmrc: pin Node 22 for local development - frontend: bump package.json and package-lock.json - SubPage, DnsPresetsModal, api-docs: minor fixes * fix(ci): stub web/dist before go list to satisfy go:embed at compile time * chore(ui): remove health-strip bar from dashboard top * Revert "feat(auth): block panel with default admin/admin credentials and guide credential change" This reverts commit 56ce6073ce09f08147f989858e0e88b3a4359546. * fix(auth): make logout POST+CSRF and propagate session loss to other tabs - Switch /logout from GET to POST with CSRFMiddleware so it matches the SPA's existing HttpUtil.post('/logout') call (previously 404'd silently) and blocks GET-based logout via image tags or link prefetchers. Handler now returns JSON; the SPA already navigates client-side. - Return 401 (instead of 404) from /panel/api/* when the caller is a browser XHR (X-Requested-With: XMLHttpRequest) so the axios interceptor redirects to the login page on logout-in-another-tab, cookie expiry, and server restart. Anonymous callers still get 404 to keep endpoints hidden from casual scanners. - One-shot the 401 redirect in axios-init.js and hang the rejected promise so queued polls don't stack reloads or surface error toasts while the browser is navigating away. - Add the CSP nonce to the runtime-injected <script> in dist.go so the panel loads under the existing script-src 'nonce-...' policy. - Update api-docs endpoints.js: GET /logout doc entry was missing. * fix(settings): POST /logout after credential change * fix(auth): invalidate other sessions when credentials change When the admin changes username/password from one machine, sessions on every other machine kept working until they manually logged out because session storage is a signed client-side cookie — there is no server-side session list to revoke. Add a per-user LoginEpoch counter stamped into the session at login and re-verified on every authenticated request. UpdateUser and UpdateFirstUser bump the epoch (UpdateUser via gorm.Expr so a single update statement is atomic), so any cookie issued before the change no longer matches the user's current epoch and GetLoginUser returns nil — the SPA's 401 interceptor then redirects to the login page. Backward compatible: the column defaults to 0 and missing cookie values are treated as 0, so sessions issued before this change remain valid until the first credential update. --------- Co-authored-by: Sanaei <ho3ein.sanaei@gmail.com>
2026-05-13 10:52:52 +00:00
package service
import (
"context"
"fmt"
"net"
"net/url"
"strings"
"time"
)
// SanitizeHTTPURL validates and normalizes an http(s) URL without resolving
// DNS. Use SanitizePublicHTTPURL at the point of an outbound request.
func SanitizeHTTPURL(raw string) (string, error) {
raw = strings.TrimSpace(raw)
if raw == "" {
return "", nil
}
u, err := url.Parse(raw)
if err != nil {
return "", err
}
if u.Scheme != "http" && u.Scheme != "https" {
return "", fmt.Errorf("unsupported URL scheme %q", u.Scheme)
}
if u.Host == "" || u.Hostname() == "" {
return "", fmt.Errorf("URL host is required")
}
clean := &url.URL{
Scheme: u.Scheme,
Host: u.Host,
Path: u.Path,
RawPath: u.RawPath,
RawQuery: u.RawQuery,
Fragment: u.Fragment,
}
return clean.String(), nil
}
// SanitizePublicHTTPURL validates and normalizes an http(s) URL, then blocks
// private/internal targets unless the caller explicitly allows them.
func SanitizePublicHTTPURL(raw string, allowPrivate bool) (string, error) {
clean, err := SanitizeHTTPURL(raw)
if err != nil || clean == "" {
return clean, err
}
if allowPrivate {
return clean, nil
}
u, err := url.Parse(clean)
if err != nil {
return "", err
}
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := rejectPrivateHost(ctx, u.Hostname()); err != nil {
return "", err
}
return clean, nil
}
func rejectPrivateHost(ctx context.Context, hostname string) error {
if ip := net.ParseIP(hostname); ip != nil {
if isBlockedIP(ip) {
return fmt.Errorf("blocked private/internal address %s", ip.String())
}
return nil
}
ips, err := net.DefaultResolver.LookupIPAddr(ctx, hostname)
if err != nil {
return fmt.Errorf("cannot resolve host %s: %w", hostname, err)
}
if len(ips) == 0 {
return fmt.Errorf("host %s has no IP addresses", hostname)
}
for _, ipAddr := range ips {
if isBlockedIP(ipAddr.IP) {
return fmt.Errorf("host %s resolves to blocked private/internal address %s", hostname, ipAddr.IP.String())
}
}
return nil
}
Reference in a new issue Copy permalink