From 5392c13086220a9791859acdff7b5f1ff4e83983 Mon Sep 17 00:00:00 2001 From: kingecg Date: Sat, 11 Jul 2026 11:38:51 +0800 Subject: [PATCH] fix problems --- admin/admin.go | 10 ++++++++++ admin/login.go | 12 ++++++++++-- go.sum | 6 ------ gohttp.go | 10 +++++++--- handler/file.go | 12 ++++++++++-- handler/proxy.go | 5 +++++ server/middleware.go | 2 +- 7 files changed, 43 insertions(+), 14 deletions(-) diff --git a/admin/admin.go b/admin/admin.go index 6e012eb..cf9026e 100644 --- a/admin/admin.go +++ b/admin/admin.go @@ -100,6 +100,11 @@ func stop(c *gin.Context) { name := c.Param("name") if name != "" { serverConf := model.GetServerConfig(name) + if serverConf == nil { + c.Writer.WriteHeader(http.StatusNotFound) + c.Writer.Write(server.NewErrorResult(errors.New("server not found"))) + return + } server.StopServer(name, serverConf.Port) c.Writer.WriteHeader(http.StatusOK) data := "stopped" @@ -113,6 +118,11 @@ func start(c *gin.Context) { name := c.Param("name") if name != "" { serverConf := model.GetServerConfig(name) + if serverConf == nil { + c.Writer.WriteHeader(http.StatusNotFound) + c.Writer.Write(server.NewErrorResult(errors.New("server not found"))) + return + } server.StartServer(name, serverConf.Port) c.Writer.WriteHeader(http.StatusOK) data := "started" diff --git a/admin/login.go b/admin/login.go index 2c116c0..2b6860c 100644 --- a/admin/login.go +++ b/admin/login.go @@ -44,7 +44,12 @@ func login(c *gin.Context) { // 验证是否为管理员账号 if loginModel.Username == "admin" { // 解密密码并验证与配置文件中密码是否匹配 - decryptText, _ := Decrypt(loginModel.Encrypt) + decryptText, err := Decrypt(loginModel.Encrypt) + if err != nil { + c.Writer.WriteHeader(http.StatusUnauthorized) + c.Writer.Write(server.NewErrorResult(err)) + return + } if decryptText == model.GetConfig().Admin.Password { // 生成JWT令牌 token, err := GenerateToken(loginModel.Username) @@ -55,7 +60,7 @@ func login(c *gin.Context) { } // 设置认证Cookie并返回成功响应 cookie := &http.Cookie{ - Name: "token", + Name: "auth_token", Value: token, Path: "/", SameSite: http.SameSiteStrictMode, @@ -103,6 +108,9 @@ func Decrypt(ciphertext string) (string, error) { plaintext = append(plaintext, dd[0]^0xFF) } //去除末尾13个字节 + if len(plaintext) <= 13 { + return "", errors.New("ciphertext too short") + } plaintext = plaintext[1 : len(plaintext)-13] return string(plaintext), nil } diff --git a/go.sum b/go.sum index c1f213d..48d841d 100644 --- a/go.sum +++ b/go.sum @@ -1,13 +1,7 @@ git.kingecg.top/kingecg/cmux v1.0.1 h1:Opon5dTuXqMij8SmPZ8fXH7X60L0VfTYvcGy527dYK8= git.kingecg.top/kingecg/cmux v1.0.1/go.mod h1:a+F13YErFNop1u5s445sxaJkDqnZ8Vy7aIvWncbn+tM= -git.kingecg.top/kingecg/godaemon v1.0.4 h1:YBVdrgWoSShFAkltD89iLuylvTaq1/pbo/LJ7ezIB9w= -git.kingecg.top/kingecg/godaemon v1.0.4/go.mod h1:IinFiox6YMmObc0Tw9B+XMRamZKTP0TQ5ZenhPAu+Sk= git.kingecg.top/kingecg/godaemon v1.0.6 h1:pQ8S8U+zJHG7N1CM5l1fsPKHOJj94GuoK1E/iQqX4P0= git.kingecg.top/kingecg/godaemon v1.0.6/go.mod h1:/XanR1ZQVEEuaA3/jB2W49mrczvCwXGh27HcNBR/xT4= -git.kingecg.top/kingecg/gologger v1.0.10 h1:o6CNJ3TM9wOnKsV0hNasSSmZXEOMl5mBXZDnKJnC0a0= -git.kingecg.top/kingecg/gologger v1.0.10/go.mod h1:auMA7VGipqttnF0jmtclhbaIr08gqtVPj6BSMknHTOE= -git.kingecg.top/kingecg/gologger v1.0.11 h1:/GmDOvHJyaBRFXjsk2DqqawwraCBVrOpNRBHf1B6Do0= -git.kingecg.top/kingecg/gologger v1.0.11/go.mod h1:auMA7VGipqttnF0jmtclhbaIr08gqtVPj6BSMknHTOE= git.kingecg.top/kingecg/gologger v1.0.12 h1:SRmpJY1v6joia6AEe9AIInusRiSwve7Rt1tZQMPrBqg= git.kingecg.top/kingecg/gologger v1.0.12/go.mod h1:auMA7VGipqttnF0jmtclhbaIr08gqtVPj6BSMknHTOE= github.com/bytedance/sonic v1.11.6 h1:oUp34TzMlL+OY1OUWxHqsdkgC/Zfc85zGqw9siXjrc0= diff --git a/gohttp.go b/gohttp.go index 4568339..6678df4 100644 --- a/gohttp.go +++ b/gohttp.go @@ -98,11 +98,15 @@ func LoadConfig() { cpath := utils.NormalizePath("./config.json") // 从指定路径读取配置文件的内容 - // 忽略可能的错误,实际应用中应处理错误 - content, _ := os.ReadFile(cpath) + content, err := os.ReadFile(cpath) + if err != nil { + panic("failed to read config file: " + err.Error()) + } // 将读取的 JSON 内容解析到 model.Config 结构体中 - json.Unmarshal(content, &model.Config) + if err := json.Unmarshal(content, &model.Config); err != nil { + panic("failed to parse config file: " + err.Error()) + } // 规范化配置中日志追加器的文件路径 // 遍历配置中的所有日志追加器 diff --git a/handler/file.go b/handler/file.go index 0b0d646..5893212 100644 --- a/handler/file.go +++ b/handler/file.go @@ -47,8 +47,16 @@ func (f FileHandler) Open(name string) (http.File, error) { } // Resolve symlinks and clean path to prevent path traversal - realRoot, _ := filepath.EvalSymlinks(f.Root) - realRPath, _ := filepath.EvalSymlinks(rPath) + realRoot, err := filepath.EvalSymlinks(f.Root) + if err != nil { + l.Error("failed to resolve root symlinks:", err) + return nil, err + } + realRPath, err := filepath.EvalSymlinks(rPath) + if err != nil { + l.Error("failed to resolve path symlinks:", err) + return nil, errors.New("not permitted") + } // Check if the resolved path is within root if realRPath != realRoot && !strings.HasPrefix(realRPath, realRoot+string(filepath.Separator)) { diff --git a/handler/proxy.go b/handler/proxy.go index de24c1a..57ac5e2 100644 --- a/handler/proxy.go +++ b/handler/proxy.go @@ -41,6 +41,11 @@ func (p *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { } } + // Bounds check to prevent out of bounds access + if proxyIndex < 0 || int(proxyIndex) >= len(p.Upstreams) { + proxyIndex = 0 + } + // 如果选中的上游服务器不健康,则进行重试 maxRetries := 3 for i := 0; i < maxRetries; i++ { diff --git a/server/middleware.go b/server/middleware.go index fdbab6f..13edf12 100644 --- a/server/middleware.go +++ b/server/middleware.go @@ -131,7 +131,7 @@ func JwtAuth(w http.ResponseWriter, r *http.Request, next http.Handler) { return []byte(jwtConfig.Secret), nil }) if err != nil { - l.Error("Failed to parse JWT: %v", err) + l.Error(fmt.Sprintf("Failed to parse JWT: %v", err)) http.Error(w, "Unauthorized.", http.StatusUnauthorized) return }