mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-05-18 12:05:53 +00:00
38da210ded
The Node.Probe and Remote.do paths built outbound URLs by string-
formatting admin-controlled fields (Scheme/Address/Port/BasePath)
straight into requests, then dialed the result with the default
transport. CodeQL flagged this as go/request-forgery — an admin
(or anyone who compromises the admin account) could point a node
at internal infrastructure (cloud metadata, RFC1918 ranges, etc.)
and the panel would dutifully fetch it.
Add util/netsafe with a shared TOCTOU-safe DialContext that
resolves the host, rejects private/internal IPs unless the
per-request context whitelists them (per-node AllowPrivateAddress
flag, plumbed through context.Value), and dials the resolved IP
directly so the IP that passed the check is the IP we connect to.
This closes the DNS-rebinding window where a hostname could
resolve to a public IP at check time and a private one at dial.
Also tighten address validation (NormalizeHost rejects anything
that isn't a bare hostname or IP literal — no embedded paths,
userinfo, schemes) and switch URL construction from fmt.Sprintf to
url.URL{} + net.JoinHostPort so admin-supplied values can't smuggle
URL components.
custom_geo.go's isBlockedIP now delegates to netsafe so there's
one source of truth.
|
||
|---|---|---|
| .. | ||
| config.json | ||
| custom_geo.go | ||
| custom_geo_test.go | ||
| inbound.go | ||
| metric_history.go | ||
| node.go | ||
| nord.go | ||
| outbound.go | ||
| panel.go | ||
| panel_other.go | ||
| panel_test.go | ||
| panel_unix.go | ||
| port_conflict.go | ||
| port_conflict_test.go | ||
| server.go | ||
| server_vlessenc_test.go | ||
| setting.go | ||
| setting_security_test.go | ||
| tgbot.go | ||
| tgbot_test.go | ||
| traffic_writer.go | ||
| traffic_writer_test.go | ||
| url_safety.go | ||
| user.go | ||
| warp.go | ||
| websocket.go | ||
| xray.go | ||
| xray_metrics.go | ||
| xray_setting.go | ||
| xray_setting_test.go | ||