mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-06-06 05:04:22 +00:00
5ffd896a7c
Adds SanitizeHTTPURL / SanitizePublicHTTPURL to reject private-range and loopback targets before any outbound HTTP request (node probe, xray download, outbound test, external traffic inform, tgbot API server, panel updater). Forwarded headers (X-Real-IP, X-Forwarded-For, X-Forwarded-Host) are now only trusted when the direct connection arrives from a CIDR in TrustedProxyCIDRs. CSP policy is tightened with a per-request nonce. HTTP server gains read/write/idle timeouts. Panel updater downloads the script to a temp file instead of piping curl into shell. Xray archive download adds a size cap and response-code check. backuptotgbot is changed from GET to POST.
34 lines
1 KiB
Go
34 lines
1 KiB
Go
package controller
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
func TestGetRemoteIpIgnoresForwardedHeadersFromUntrustedRemote(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
c, _ := gin.CreateTestContext(httptest.NewRecorder())
|
|
c.Request = httptest.NewRequest(http.MethodGet, "/", nil)
|
|
c.Request.RemoteAddr = "203.0.113.10:12345"
|
|
c.Request.Header.Set("X-Real-IP", "198.51.100.9")
|
|
c.Request.Header.Set("X-Forwarded-For", "198.51.100.8")
|
|
|
|
if got := getRemoteIp(c); got != "203.0.113.10" {
|
|
t.Fatalf("remote IP = %q, want request remote address", got)
|
|
}
|
|
}
|
|
|
|
func TestGetRemoteIpHonorsForwardedHeadersFromTrustedLoopbackProxy(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
c, _ := gin.CreateTestContext(httptest.NewRecorder())
|
|
c.Request = httptest.NewRequest(http.MethodGet, "/", nil)
|
|
c.Request.RemoteAddr = "127.0.0.1:12345"
|
|
c.Request.Header.Set("X-Forwarded-For", "198.51.100.8, 127.0.0.1")
|
|
|
|
if got := getRemoteIp(c); got != "198.51.100.8" {
|
|
t.Fatalf("remote IP = %q, want forwarded client IP", got)
|
|
}
|
|
}
|