Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-06 13:14:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
3x-ui/web/service
History
farhadh 5ffd896a7c
fix(security): SSRF prevention, trusted-proxy header gating, CSP nonce, HTTP timeouts 
Adds SanitizeHTTPURL / SanitizePublicHTTPURL to reject private-range
and loopback targets before any outbound HTTP request (node probe,
xray download, outbound test, external traffic inform, tgbot API
server, panel updater). Forwarded headers (X-Real-IP, X-Forwarded-For,
X-Forwarded-Host) are now only trusted when the direct connection
arrives from a CIDR in TrustedProxyCIDRs. CSP policy is tightened with
a per-request nonce. HTTP server gains read/write/idle timeouts. Panel
updater downloads the script to a temp file instead of piping curl into
shell. Xray archive download adds a size cap and response-code check.
backuptotgbot is changed from GET to POST.
2026-05-11 21:16:23 +02:00
..
config.json dokodemo-door, socks renamed to mixed, tunnel 2025-09-09 13:57:40 +02:00
custom_geo.go v3 2026-05-10 02:13:42 +02:00
custom_geo_test.go v3 2026-05-10 02:13:42 +02:00
inbound.go feat(inbounds): add sub/client link endpoints; hide panel version on login 2026-05-11 15:03:47 +02:00
metric_history.go Vue3 migration (#4198) 2026-05-09 17:47:35 +02:00
node.go fix(security): SSRF prevention, trusted-proxy header gating, CSP nonce, HTTP timeouts 2026-05-11 21:16:23 +02:00
nord.go feat(xray/nord): searchable server list + colored load tag, surface API errors 2026-05-11 10:06:01 +02:00
outbound.go feat(xray/outbounds): TCP probe mode + Test All + timing breakdown 2026-05-11 04:17:23 +02:00
panel.go fix(security): SSRF prevention, trusted-proxy header gating, CSP nonce, HTTP timeouts 2026-05-11 21:16:23 +02:00
panel_other.go feat: add panel update functionality via web GUI (#4117) 2026-04-28 18:46:55 +02:00
panel_test.go feat: add panel update functionality via web GUI (#4117) 2026-04-28 18:46:55 +02:00
panel_unix.go feat: add panel update functionality via web GUI (#4117) 2026-04-28 18:46:55 +02:00
port_conflict.go fix(inbounds): scope port check to node and preserve caller tag 2026-05-11 12:51:45 +02:00
port_conflict_test.go fix(inbounds): scope port check to node and preserve caller tag 2026-05-11 12:51:45 +02:00
server.go fix(security): SSRF prevention, trusted-proxy header gating, CSP nonce, HTTP timeouts 2026-05-11 21:16:23 +02:00
setting.go feat(settings): redact secrets in AllSettingView and add TrustedProxyCIDRs 2026-05-11 21:16:22 +02:00
setting_security_test.go fix(security): SSRF prevention, trusted-proxy header gating, CSP nonce, HTTP timeouts 2026-05-11 21:16:23 +02:00
tgbot.go fix(security): SSRF prevention, trusted-proxy header gating, CSP nonce, HTTP timeouts 2026-05-11 21:16:23 +02:00
tgbot_test.go Implement CSRF protection and security hardening across the application (#4179) 2026-05-07 23:36:11 +02:00
traffic_writer.go fix(traffic-writer): replace sync.Once with Start/Stop cycle so SIGHUP restart works 2026-05-11 16:01:04 +02:00
url_safety.go fix(security): SSRF prevention, trusted-proxy header gating, CSP nonce, HTTP timeouts 2026-05-11 21:16:23 +02:00
user.go feat(auth): block panel with default admin/admin credentials and guide credential change 2026-05-11 21:16:22 +02:00
warp.go v3 2026-05-10 02:13:42 +02:00
websocket.go v3 2026-05-10 02:13:42 +02:00
xray.go fix(nodes): bind form-encoded posts and skip node inbounds in central xray 2026-05-10 11:32:06 +02:00
xray_setting.go v3 2026-05-10 02:13:42 +02:00
xray_setting_test.go xray-setting: pin api routing rule to index 0 on save (#4124) 2026-04-28 17:49:39 +02:00