2529 commits

This branch

This branch

All branches

Author	SHA1	Message	Date
Claude	b73e6a4c11	Add PR description template for GitHub pull request ... Includes both detailed and short versions of PR description with: - Complete security fix documentation - Step-by-step PR creation guide - Quick copy-paste sections - Technical details and references Makes it easy to create the pull request on GitHub.	2026-01-28 21:17:44 +00:00
Claude	73fa595f81	Add security fixes summary documentation ... Documents the two critical security vulnerabilities that were fixed: 1. ZIP Slip path traversal (CVSS 9.3) - FIXED 2. Command injection via argument handling (CVSS 7.5) - IMPROVED Includes: - Detailed before/after code comparisons - Security impact analysis - Test case recommendations - Verification instructions - Risk reduction metrics Status: 2 critical vulnerabilities fixed Remaining: 25 other issues documented in BUG_REPORT.md	2026-01-28 01:46:30 +00:00
Claude	3ff2079a5d	[SECURITY] Improve argument handling to prevent command injection ... Security improvements for process execution in ProcUtils. VULNERABILITY DETAILS: - Location: ServiceLib/Common/ProcUtils.cs:20-27, 58 - Type: CWE-78 (OS Command Injection) - Impact: Potential command injection via improper argument quoting - Risk: Double-quoting could break escaping and allow shell metacharacters SECURITY IMPROVEMENTS: 1. Prevent double-quoting: Check if strings are already quoted before adding quotes 2. Smart argument detection: Don't quote multi-argument strings (containing - or /) 3. Improved validation: Only quote single arguments with spaces 4. Added security comments documenting the quoting logic 5. Fixed RebootAsAdmin to use same safe quoting logic TECHNICAL CHANGES: - Check for existing quotes before calling AppendQuotes() - Detect multi-argument strings by checking for " -" and " /" patterns - Don't quote arguments that contain quotes (may be pre-formatted) - Extract exePath in RebootAsAdmin to apply same validation BEFORE (vulnerable): - Any string with spaces was blindly quoted - Already-quoted strings would be double-quoted: ""path"" (invalid) - Multi-argument strings treated as single arg: "arg1 arg2" (broken) AFTER (improved): - Only quote unquoted strings with spaces - Preserve existing quotes in strings - Detect and preserve multi-argument patterns - Consistent handling across both methods LIMITATIONS: - UseShellExecute = true is still used (required for URL/shell association handling) - For maximum security, callers should use whitelisting of allowed executables - Complex argument strings should be properly formatted by callers TESTING: - Handles paths like "C:\Program Files\app.exe" correctly - Preserves already-quoted paths: "\"C:\Program Files\app.exe\"" - Doesn't break multi-arg strings: "arg1 -flag value" - Works with both Windows (/) and Unix (-) style arguments References: - CWE-78: https://cwe.mitre.org/data/definitions/78.html - OWASP Command Injection: https://owasp.org/www-community/attacks/Command_Injection Note: This is a defense-in-depth measure. The primary risk mitigation is that most callers use application-controlled paths rather than user input.	2026-01-28 01:44:57 +00:00
Claude	8a18fd1c4b	[SECURITY] Fix ZIP Slip path traversal vulnerability (CVE-2024-XXXXX) ... Critical security fix for CVSS 9.3 vulnerability in ZipExtractToFile method. VULNERABILITY DETAILS: - Location: ServiceLib/Common/FileUtils.cs:105 - Type: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) - Impact: Arbitrary file write anywhere on filesystem via malicious ZIP files - Attack Vector: ZIP archives with path traversal sequences (e.g., "../../etc/passwd") SECURITY IMPROVEMENTS: 1. Added path validation using Path.GetFullPath() to normalize paths 2. Verify extracted files stay within target directory boundary 3. Block extraction if path traversal is detected 4. Added security logging for attempted path traversal attacks 5. Create nested directories safely before extraction 6. Changed from entry.Name to entry.FullName for proper path handling TECHNICAL CHANGES: - Added System.Security using statement for SecurityException - Validate destinationPath starts with baseDirectory - Log security violations with detailed entry information - Continue processing valid entries after blocking malicious ones TESTING: - Method now rejects entries like "../../../etc/passwd" - Allows legitimate nested paths like "subdir/file.txt" - Logs all path traversal attempts for security monitoring This fix protects against: - System file overwrites - Remote code execution via file replacement - Privilege escalation through configuration file tampering References: - https://security.snyk.io/research/zip-slip-vulnerability - CWE-22: https://cwe.mitre.org/data/definitions/22.html - OWASP: https://owasp.org/www-community/attacks/Path_Traversal Affected callers (now protected): - BackupAndRestoreViewModel.cs:138 (user backup restoration) - CheckUpdateViewModel.cs:291 (update file extraction)	2026-01-28 01:43:28 +00:00
Claude	7647c46175	Add comprehensive code review bug report ... This report documents 25 issues found during automated code review: - 2 critical security vulnerabilities (ZIP Slip, command injection risks) - 5 high severity issues (empty catch blocks, race conditions) - 8 medium severity issues (insufficient cancellation, async anti-patterns) - 5 low severity issues (hardcoded delays, code quality) - 5 code quality improvements Key findings: - ZIP Slip vulnerability in FileUtils.cs allowing path traversal - 12+ empty catch blocks silently swallowing exceptions - Race conditions in process lifecycle management - Only 2.4% of async methods use CancellationToken (11/452) - Task.Factory.StartNew anti-pattern in database code - Fire-and-forget async patterns leading to unhandled exceptions Report includes prioritized remediation plan and recommendations.	2026-01-24 22:51:11 +00:00
2dust	9ea80671d3	up 7.17.1	2026-01-18 19:32:44 +08:00
2dust	449849d8e8	Update Directory.Packages.props	2026-01-18 19:25:13 +08:00
DHR60	03b62b3d78	Fix (#8658)	2026-01-17 19:35:56 +08:00
DHR60	9f9b90cb97	Add hysteria2 uri cert sha pinning support (#8657)	2026-01-17 16:22:26 +08:00
DHR60	c42dcd2876	Add process matching rules support (#8643) ... * Add process matching rules support * Fix	2026-01-17 16:08:36 +08:00
2dust	2fefafdd37	Add support for CoreType7 (Hysteria2) in option settings	2026-01-17 16:06:29 +08:00
DHR60	2c9a90c878	Add xray hysteria2 outbound support (#8630)	2026-01-17 15:49:44 +08:00
DHR60	4e5f1838a2	Add Cert SHA-256 pinning support (#8613)	2026-01-17 15:42:40 +08:00
2dust	a45a1dc982	Ensure WebDAV base URL ends with trailing slash	2026-01-17 15:08:08 +08:00
2dust	fe183798b6	Refactor child item aggregation in managers	2026-01-13 20:24:52 +08:00
2dust	947c84cf10	Refactor 'Move to Group' menu in ProfilesView	2026-01-10 15:14:58 +08:00
2dust	9c74b51d74	up 7.17.0	2026-01-09 18:44:28 +08:00
2dust	abd962ab31	Update Global.cs	2026-01-08 17:15:59 +08:00
DHR60	f3b894015e	Add sing-box ech support (#8603) ... * Add sing-box ech support * Support group config type * Simplified code	2026-01-08 13:56:45 +08:00
2dust	4562d4cf00	Add ECH config support to profile and UI ... Introduces EchConfigList and EchForceQuery fields to ProfileItem and V2rayConfig models, updates related handlers and services to process these fields, and extends the AddServerWindow UI to allow user input for ECH configuration. Also adds localization entries for the new fields and updates extension methods for string handling.	2026-01-07 11:34:13 +08:00
JieXu	bc36cf8a47	Code Clean (#8586)	2026-01-05 09:56:43 +08:00
Kazuto Iris	cbdfe2e15a	fix: Fix failure to follow system theme changes (#8584) ... Fix the issue where the application failed to sync with system dark/light mode changes in specific scenarios such as triggering system theme switching via scheduled tasks while waking from hibernation, caused by the unreliable HWND hook implementation that missed critical events.	2026-01-05 09:56:33 +08:00
2dust	68583e20bc	Update package versions in Directory.Packages.props	2026-01-03 19:06:17 +08:00
DHR60	6d6459b009	Fix edge cases (#8564)	2026-01-03 10:20:27 +08:00
2dust	807562b69e	Set all .NET publish tasks to self-contained	2025-12-28 14:10:00 +08:00
2dust	654d7d83d0	up 7.16.9	2025-12-25 18:34:10 +08:00
2dust	027252e687	Move ShowInTaskbar and RunningCoreType to AppManager	2025-12-24 16:01:28 +08:00
2dust	5478c90180	Bug fix ... https://github.com/2dust/v2rayN/issues/8515	2025-12-24 14:19:36 +08:00
DHR60	28f30d7e97	Revert "Add TLS ALPN check for WS (#8469)" (#8517) ... This reverts commit 6e27dca6cd.	2025-12-24 13:38:08 +08:00
2dust	ae7d54c2e5	up 7.16.8	2025-12-22 19:04:36 +08:00
2dust	56d0d65b06	Reduce minimum width of MainWindow	2025-12-22 19:03:47 +08:00
2dust	5e8e189c27	Increase MenuItemHeight to 32 in App.xaml	2025-12-21 18:53:09 +08:00
2dust	3fee86d44a	Add context menu to subscription DataGrid	2025-12-21 18:53:00 +08:00
2dust	dd77eb79c6	Remove .NET self-contained zip check in UpdateService	2025-12-20 14:47:40 +08:00
2dust	d26a2559a6	up 7.16.7	2025-12-20 14:12:41 +08:00
2dust	e5ba1759aa	Update Directory.Packages.props	2025-12-20 14:12:16 +08:00
dependabot[bot]	bfdee37cc1	Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#8493) ... Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5.0.0 to 6.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v5.0.0...v6.0.0) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-16 09:19:09 +08:00
dependabot[bot]	cf89cfcd95	Bump actions/download-artifact from 6 to 7 (#8492) ... Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 6 to 7. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v6...v7) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-16 09:19:00 +08:00
2dust	39a988c704	Update Directory.Packages.props	2025-12-13 15:18:52 +08:00
JieXu	2b28254fbc	Update ResUI.fr.resx (#8472)	2025-12-10 17:56:19 +08:00
DHR60	6e27dca6cd	Add TLS ALPN check for WS (#8469)	2025-12-09 20:22:13 +08:00
DHR60	7cee98887b	Refactor Node Precheck (#8464)	2025-12-09 20:03:07 +08:00
DHR60	3885ff8b31	Fix Shadowsocks Fmt (#8462)	2025-12-08 19:55:27 +08:00
2dust	12abf383e9	up 7.16.6	2025-12-07 15:32:45 +08:00
2dust	5bef02bd6d	Code clean	2025-12-07 15:32:03 +08:00
2dust	592f1260b5	Remove Cloudflare IP API URL from IPAPIUrls ... https://github.com/2dust/v2rayN/issues/8441	2025-12-07 15:24:54 +08:00
2dust	18303688d7	Refactor AddGroupServerWindow tab controls layout	2025-12-07 15:22:40 +08:00
2dust	5c4b7f6636	Update Directory.Packages.props	2025-12-07 15:22:19 +08:00
tt2563	37cce2fa35	「desktop版本－啟用連線資訊測試位址自訂輸入」 (#8456)	2025-12-07 15:21:11 +08:00
dependabot[bot]	6f8b65c75b	Bump actions/checkout from 6.0.0 to 6.0.1 (#8437) ... Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v6.0.0...v6.0.1) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-04 18:24:14 +08:00