Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-06 05:04:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
3x-ui/web/job
History
farhadh 5ffd896a7c
fix(security): SSRF prevention, trusted-proxy header gating, CSP nonce, HTTP timeouts 
Adds SanitizeHTTPURL / SanitizePublicHTTPURL to reject private-range
and loopback targets before any outbound HTTP request (node probe,
xray download, outbound test, external traffic inform, tgbot API
server, panel updater). Forwarded headers (X-Real-IP, X-Forwarded-For,
X-Forwarded-Host) are now only trusted when the direct connection
arrives from a CIDR in TrustedProxyCIDRs. CSP policy is tightened with
a per-request nonce. HTTP server gains read/write/idle timeouts. Panel
updater downloads the script to a temp file instead of piping curl into
shell. Xray archive download adds a size cap and response-code check.
backuptotgbot is changed from GET to POST.
2026-05-11 21:16:23 +02:00
..
check_client_ip_job.go v3 2026-05-10 02:13:42 +02:00
check_client_ip_job_integration_test.go v3 2026-05-10 02:13:42 +02:00
check_client_ip_job_test.go iplimit: dont count idle db-only ips toward the per-client limit 2026-04-23 21:11:45 +03:00
check_cpu_usage.go v3 2026-05-10 02:13:42 +02:00
check_hash_storage.go v3 2026-05-10 02:13:42 +02:00
check_xray_running_job.go v3 2026-05-10 02:13:42 +02:00
clear_logs_job.go v3 2026-05-10 02:13:42 +02:00
ldap_sync_job.go v3 2026-05-10 02:13:42 +02:00
node_heartbeat_job.go feat(nodes): traffic-writer queue, full-mirror sync, WS event fixes 2026-05-10 16:25:23 +02:00
node_traffic_sync_job.go feat(nodes): traffic-writer queue, full-mirror sync, WS event fixes 2026-05-10 16:25:23 +02:00
periodic_traffic_reset_job.go v3 2026-05-10 02:13:42 +02:00
stats_notify_job.go v3 2026-05-10 02:13:42 +02:00
xray_traffic_job.go fix(security): SSRF prevention, trusted-proxy header gating, CSP nonce, HTTP timeouts 2026-05-11 21:16:23 +02:00