Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-04-22 07:25:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
3x-ui/web/service
History
Sanaei 46d9a0e8cf
Some checks are pending
CodeQL Advanced / Analyze (go) (push) Waiting to run
Details
CodeQL Advanced / Analyze (actions) (push) Waiting to run
Details
CodeQL Advanced / Analyze (javascript-typescript) (push) Waiting to run
Details
Release 3X-UI / Analyze Go code (push) Waiting to run
Details
Release 3X-UI / build (386) (push) Blocked by required conditions
Details
Release 3X-UI / build (amd64) (push) Blocked by required conditions
Details
Release 3X-UI / build (arm64) (push) Blocked by required conditions
Details
Release 3X-UI / build (armv5) (push) Blocked by required conditions
Details
Release 3X-UI / build (armv6) (push) Blocked by required conditions
Details
Release 3X-UI / build (armv7) (push) Blocked by required conditions
Details
Release 3X-UI / build (s390x) (push) Blocked by required conditions
Details
Release 3X-UI / Build for Windows (push) Blocked by required conditions
Details
Add SSRF protection (#4044) 
* Add SSRF protection for custom geo downloads

Introduce SSRF-safe HTTP transport for custom geo operations by adding ssrfSafeTransport and isBlockedIP helpers. The transport resolves hosts and blocks loopback, private, link-local and unspecified addresses, returning ErrCustomGeoSSRFBlocked on violations. Update probeCustomGeoURLWithGET, probeCustomGeoURL and downloadToPathOnce to use the safe transport. Also add the new error ErrCustomGeoSSRFBlocked and necessary imports. Minor whitespace/formatting adjustments in subClashService.go, web/entity/entity.go and web/service/setting.go.

* Add path traversal protection for custom geo

Prevent path traversal when handling custom geo downloads by adding ErrCustomGeoPathTraversal and a validateDestPath() helper that ensures destination paths stay inside the bin folder. Call validateDestPath from downloadToPathOnce, Update and Delete paths and wrap errors appropriately. Reconstruct sanitized URLs in sanitizeURL to break taint propagation before use. Map the new path-traversal error to a user-facing i18n message in the controller.

* fix
2026-04-20 00:10:02 +02:00
..
config.json dokodemo-door, socks renamed to mixed, tunnel 2025-09-09 13:57:40 +02:00
custom_geo.go Add SSRF protection (#4044) 2026-04-20 00:10:02 +02:00
custom_geo_test.go Add SSRF protection (#4044) 2026-04-20 00:10:02 +02:00
inbound.go Add new hourly reset traffic (#3966) 2026-04-19 21:37:34 +02:00
outbound.go fix security issue 2026-02-09 23:36:10 +01:00
panel.go docs: add comments for all functions 2025-09-20 09:35:50 +02:00
server.go Fix geosite:ru rule (Normalization to RU vs lowercase ru) (#3971) 2026-04-19 21:44:51 +02:00
setting.go Add SSRF protection (#4044) 2026-04-20 00:10:02 +02:00
tgbot.go feat(tgbot): send connection links and qrs on client creation (closes #3320)\n\n- Refactored inline keyboards into getCommonClientButtons to respect DRY\n- Extended SubmitAddClient callback handlers to dispatch individual links and QR codes to the bot chat on success. (#3888) 2026-03-17 22:09:49 +01:00
user.go Add Go code analyzer workflow 2026-03-17 23:01:15 +01:00
warp.go docs: add comments for all functions 2025-09-20 09:35:50 +02:00
xray.go fix: enhance WebSocket stability, resolve XHTTP configurations and fix UI loading shifts (#3997) 2026-04-19 21:01:00 +02:00
xray_setting.go docs: add comments for all functions 2025-09-20 09:35:50 +02:00