Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-05-13 09:36:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix overly permissive file permissions (os.ModePerm) (#4207)

Browse source 
Several file operations used os.ModePerm (0777) which makes files
world-writable and world-readable, violating the principle of least
privilege:

- database/db.go: InitDB directory creation → 0755
- xray/process.go: Xray config write → 0644
- xray/process.go: Crash report write → 0644
- web/service/server.go: Binary extraction → 0755

Also removes unused "io/fs" imports from the affected files.
This commit is contained in:
Qiaochu Hu 2026-05-10 20:47:28 +08:00 committed by GitHub
parent dee2525d5f
commit 24cd271486
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 4 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
database/db.go
View file

@ -6,7 +6,6 @@ import (
"bytes" "bytes"
"errors" "errors"
"io" "io"
"io/fs"
"log" "log"
"os" "os"
"path" "path"
@ -133,7 +132,7 @@ func isTableEmpty(tableName string) (bool, error) {
// InitDB sets up the database connection, migrates models, and runs seeders. // InitDB sets up the database connection, migrates models, and runs seeders.
func InitDB(dbPath string) error { func InitDB(dbPath string) error {
dir := path.Dir(dbPath) dir := path.Dir(dbPath)
err := os.MkdirAll(dir, fs.ModePerm) err := os.MkdirAll(dir, 0755)
if err != nil { if err != nil {
return err return err
} }

3
web/service/server.go
View file

@ -7,7 +7,6 @@ import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"io" "io"
"io/fs"
"mime/multipart" "mime/multipart"
"net/http" "net/http"
"os" "os"
@ -660,7 +659,7 @@ func (s *ServerService) UpdateXray(version string) error {
defer zipFile.Close() defer zipFile.Close()
os.MkdirAll(filepath.Dir(fileName), 0755) os.MkdirAll(filepath.Dir(fileName), 0755)
os.Remove(fileName) os.Remove(fileName)
file, err := os.OpenFile(fileName, os.O_CREATE|os.O_RDWR|os.O_TRUNC, fs.ModePerm) file, err := os.OpenFile(fileName, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0755)
if err != nil { if err != nil {
return err return err
} }

5
xray/process.go
View file

@ -5,7 +5,6 @@ import (
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
"io/fs"
"os" "os"
"os/exec" "os/exec"
"runtime" "runtime"
@ -321,7 +320,7 @@ func (p *process) Start() (err error) {
if p.configPath != "" { if p.configPath != "" {
configPath = p.configPath configPath = p.configPath
} }
err = os.WriteFile(configPath, data, fs.ModePerm) err = os.WriteFile(configPath, data, 0644)
if err != nil { if err != nil {
return common.NewErrorf("Failed to write configuration file: %v", err) return common.NewErrorf("Failed to write configuration file: %v", err)
} }
@ -381,5 +380,5 @@ func (p *process) Stop() error {
// writeCrashReport writes a crash report to the binary folder with a timestamped filename. // writeCrashReport writes a crash report to the binary folder with a timestamped filename.
func writeCrashReport(m []byte) error { func writeCrashReport(m []byte) error {
crashReportPath := config.GetBinFolderPath() + "/core_crash_" + time.Now().Format("20060102_150405") + ".log" crashReportPath := config.GetBinFolderPath() + "/core_crash_" + time.Now().Format("20060102_150405") + ".log"
return os.WriteFile(crashReportPath, m, os.ModePerm) return os.WriteFile(crashReportPath, m, 0644)
} }