Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-02-13 13:57:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix security issue

Browse source
This commit is contained in:
MHSanaei 2026-02-09 22:56:21 +01:00
parent 0994f8756f
commit c2f409c3c4
No known key found for this signature in database
GPG key ID: 7E4060F2FBE5AB7A
3 changed files with 14 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
web/controller/xray_setting.go
View file

@ -56,9 +56,17 @@ func (a *XraySettingController) getXraySetting(c *gin.Context) {
if outboundTestUrl == "" { if outboundTestUrl == "" {
outboundTestUrl = "https://www.google.com/generate_204" outboundTestUrl = "https://www.google.com/generate_204"
} }
urlJSON, _ := json.Marshal(outboundTestUrl) xrayResponse := map[string]interface{}{
xrayResponse := "{ \"xraySetting\": " + xraySetting + ", \"inboundTags\": " + inboundTags + ", \"outboundTestUrl\": " + string(urlJSON) + " }" "xraySetting": json.RawMessage(xraySetting),
jsonObj(c, xrayResponse, nil) "inboundTags": json.RawMessage(inboundTags),
"outboundTestUrl": outboundTestUrl,
}
result, err := json.Marshal(xrayResponse)
if err != nil {
jsonMsg(c, I18nWeb(c, "pages.settings.toasts.getSettings"), err)
return
}
jsonObj(c, string(result), nil)
} }
// updateSetting updates the Xray configuration settings. // updateSetting updates the Xray configuration settings.
@ -140,7 +148,6 @@ func (a *XraySettingController) resetOutboundsTraffic(c *gin.Context) {
// Optional form "allOutbounds": JSON array of all outbounds; used to resolve sockopt.dialerProxy dependencies. // Optional form "allOutbounds": JSON array of all outbounds; used to resolve sockopt.dialerProxy dependencies.
func (a *XraySettingController) testOutbound(c *gin.Context) { func (a *XraySettingController) testOutbound(c *gin.Context) {
outboundJSON := c.PostForm("outbound") outboundJSON := c.PostForm("outbound")
testURL := c.PostForm("testURL")
allOutboundsJSON := c.PostForm("allOutbounds") allOutboundsJSON := c.PostForm("allOutbounds")
if outboundJSON == "" { if outboundJSON == "" {
@ -148,6 +155,9 @@ func (a *XraySettingController) testOutbound(c *gin.Context) {
return return
} }
// Load the test URL from server settings to prevent SSRF via user-controlled URLs
testURL, _ := a.SettingService.GetXrayOutboundTestUrl()
result, err := a.OutboundService.TestOutbound(outboundJSON, testURL, allOutboundsJSON) result, err := a.OutboundService.TestOutbound(outboundJSON, testURL, allOutboundsJSON)
if err != nil { if err != nil {
jsonMsg(c, I18nWeb(c, "somethingWentWrong"), err) jsonMsg(c, I18nWeb(c, "somethingWentWrong"), err)

2
web/html/xray.html
View file

@ -654,12 +654,10 @@
try { try {
const outboundJSON = JSON.stringify(outbound); const outboundJSON = JSON.stringify(outbound);
const testURL = this.outboundTestUrl || 'https://www.google.com/generate_204';
const allOutboundsJSON = JSON.stringify(this.templateSettings.outbounds || []); const allOutboundsJSON = JSON.stringify(this.templateSettings.outbounds || []);
const msg = await HttpUtil.post("/panel/xray/testOutbound", { const msg = await HttpUtil.post("/panel/xray/testOutbound", {
outbound: outboundJSON, outbound: outboundJSON,
testURL: testURL,
allOutbounds: allOutboundsJSON allOutbounds: allOutboundsJSON
}); });

2
web/service/outbound.go
View file

@ -1,7 +1,6 @@
package service package service
import ( import (
"crypto/tls"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io" "io"
@ -352,7 +351,6 @@ func (s *OutboundService) testConnection(proxyPort int, testURL string) (int64,
Timeout: 5 * time.Second, Timeout: 5 * time.Second,
KeepAlive: 30 * time.Second, KeepAlive: 30 * time.Second,
}).DialContext, }).DialContext,
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
MaxIdleConns: 1, MaxIdleConns: 1,
IdleConnTimeout: 10 * time.Second, IdleConnTimeout: 10 * time.Second,
DisableCompression: true, DisableCompression: true,