소스 검색

fix(link): strip query and trailing slash when parsing ss:// port (#5895)

* fix(link): strip query and trailing slash when parsing ss:// port

Subscription-provided Shadowsocks links use the SIP002 form
ss://userinfo@host:port[/][?plugin=...]#tag. parseShadowsocks only
stripped the #fragment, so a "?plugin=" / "?type=" query and the
optional trailing slash leaked into the host:port split, strconv.Atoi
failed, and the port was silently set to 0 (the error was discarded).
Direct link import was unaffected because it runs through the frontend
parser, which already handles this.

Strip the query and the trailing slash before splitting host:port,
mirroring the frontend outbound-link-parser and the SIP002 grammar.
This complements #5432, which fixed the SS2022 generation side.

Add table-driven parseShadowsocks tests covering modern, legacy,
base64url userinfo, the SIP002 slash+plugin form, and SIP022
percent-encoded userinfo with a dual-key password.

* fix(link): surface ss:// port parse errors instead of defaulting to 0

  The modern and legacy Shadowsocks branches discarded the strconv.Atoi
  error when reading the port, silently yielding port 0 for any malformed
  host:port. Return a parse error instead, matching defaultPort's existing
  pattern in this file, so a bad link is skipped by ParseSubscriptionBody
  rather than injected as an unusable port-0 outbound.
Dmitrii Ignatov 1 일 전
부모
커밋
affcf6c422
2개의 변경된 파일122개의 추가작업 그리고 3개의 파일을 삭제
  1. 12 3
      internal/util/link/outbound.go
  2. 110 0
      internal/util/link/outbound_test.go

+ 12 - 3
internal/util/link/outbound.go

@@ -338,12 +338,15 @@ func parseShadowsocks(link string) (*ParseResult, error) {
 		remark, _ = url.QueryUnescape(link[i+1:])
 		link = link[:i]
 	}
+	if i := strings.Index(link, "?"); i >= 0 {
+		link = link[:i]
+	}
 	core := strings.TrimPrefix(link, "ss://")
 	at := strings.Index(core, "@")
 	if at >= 0 {
 		// modern
 		userB64 := core[:at]
-		hp := core[at+1:]
+		hp := strings.TrimRight(core[at+1:], "/")
 		userInfo, err := base64DecodeFlexible(userB64)
 		if err != nil {
 			// SIP022 (2022-blake3-*) userinfo is percent-encoded, not base64.
@@ -358,7 +361,10 @@ func parseShadowsocks(link string) (*ParseResult, error) {
 			return nil, fmt.Errorf("bad ss host:port")
 		}
 		host := hp[:colon]
-		port, _ := strconv.Atoi(hp[colon+1:])
+		port, err := strconv.Atoi(hp[colon+1:])
+		if err != nil {
+			return nil, fmt.Errorf("bad ss port %q: %w", hp[colon+1:], err)
+		}
 		method, pass := splitMethodPass(userInfo)
 		identity := "ss:" + method + ":" + pass + "@" + host + ":" + strconv.Itoa(port)
 		ob := Outbound{
@@ -388,7 +394,10 @@ func parseShadowsocks(link string) (*ParseResult, error) {
 		return nil, fmt.Errorf("bad legacy ss hp")
 	}
 	host := hp[:colon]
-	port, _ := strconv.Atoi(hp[colon+1:])
+	port, err := strconv.Atoi(hp[colon+1:])
+	if err != nil {
+		return nil, fmt.Errorf("bad legacy ss port %q: %w", hp[colon+1:], err)
+	}
 	method, pass := splitMethodPass(userInfo)
 	identity := "ss:" + method + ":" + pass + "@" + host + ":" + strconv.Itoa(port)
 	ob := Outbound{

+ 110 - 0
internal/util/link/outbound_test.go

@@ -1,6 +1,7 @@
 package link
 
 import (
+	"encoding/base64"
 	"net/url"
 	"strings"
 	"testing"
@@ -113,6 +114,115 @@ func TestSanitizeFinalMaskQuicParams_ClampsAndRejects(t *testing.T) {
 	}
 }
 
+func TestParseShadowsocks(t *testing.T) {
+	modernUser := base64.StdEncoding.EncodeToString([]byte("aes-256-gcm:secretpass"))
+	legacyBody := base64.StdEncoding.EncodeToString([]byte("aes-256-gcm:[email protected]:8388"))
+	cases := []struct {
+		name   string
+		link   string
+		host   string
+		port   int
+		method string
+		pass   string
+	}{
+		{
+			name:   "modern",
+			link:   "ss://" + modernUser + "@1.2.3.4:8388#node",
+			host:   "1.2.3.4",
+			port:   8388,
+			method: "aes-256-gcm",
+			pass:   "secretpass",
+		},
+		{
+			name:   "modern with plugin query",
+			link:   "ss://" + modernUser + "@1.2.3.4:8388?plugin=v2ray-plugin#node",
+			host:   "1.2.3.4",
+			port:   8388,
+			method: "aes-256-gcm",
+			pass:   "secretpass",
+		},
+		{
+			name:   "modern sip002 slash query",
+			link:   "ss://" + modernUser + "@1.2.3.4:8388/?plugin=obfs-local%3Bobfs%3Dhttp#node",
+			host:   "1.2.3.4",
+			port:   8388,
+			method: "aes-256-gcm",
+			pass:   "secretpass",
+		},
+		{
+			name:   "legacy",
+			link:   "ss://" + legacyBody + "#node",
+			host:   "1.2.3.4",
+			port:   8388,
+			method: "aes-256-gcm",
+			pass:   "secretpass",
+		},
+		{
+			name:   "base64url userinfo with plugin and trailing slash",
+			link:   "ss://" + base64.RawURLEncoding.EncodeToString([]byte("aes-128-gcm:pa+ss/word")) + "@1.2.3.4:8388/?plugin=obfs-local%3Bobfs%3Dhttp#node",
+			host:   "1.2.3.4",
+			port:   8388,
+			method: "aes-128-gcm",
+			pass:   "pa+ss/word",
+		},
+		{
+			name:   "sip022 percent-encoded userinfo",
+			link:   "ss://2022-blake3-aes-256-gcm:YctPZ6U7xPPcU%2Bgp3u%2B0tx%2FtRizJN9K8y%2BuKlW2qjlI%[email protected]:8888#Example3",
+			host:   "example.com",
+			port:   8888,
+			method: "2022-blake3-aes-256-gcm",
+			pass:   "YctPZ6U7xPPcU+gp3u+0tx/tRizJN9K8y+uKlW2qjlI=",
+		},
+		{
+			name:   "sip022 dual-key password with type query preserves inner colon",
+			link:   "ss://2022-blake3-aes-256-gcm:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%3D:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB%[email protected]:9999?type=tcp#node",
+			host:   "1.2.3.4",
+			port:   9999,
+			method: "2022-blake3-aes-256-gcm",
+			pass:   "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=",
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			res, err := ParseLink(c.link)
+			if err != nil {
+				t.Fatalf("parse ss: %v", err)
+			}
+			if res.Outbound["protocol"] != "shadowsocks" {
+				t.Fatalf("protocol = %v, want shadowsocks", res.Outbound["protocol"])
+			}
+			srv := res.Outbound["settings"].(map[string]any)["servers"].([]any)[0].(map[string]any)
+			if srv["address"] != c.host {
+				t.Errorf("address = %v, want %v", srv["address"], c.host)
+			}
+			if srv["port"] != c.port {
+				t.Errorf("port = %v, want %v", srv["port"], c.port)
+			}
+			if srv["method"] != c.method {
+				t.Errorf("method = %v, want %v", srv["method"], c.method)
+			}
+			if srv["password"] != c.pass {
+				t.Errorf("password = %v, want %v", srv["password"], c.pass)
+			}
+		})
+	}
+}
+
+func TestParseShadowsocksBadPort(t *testing.T) {
+	user := base64.StdEncoding.EncodeToString([]byte("aes-256-gcm:secretpass"))
+	cases := map[string]string{
+		"modern": "ss://" + user + "@1.2.3.4:notaport#node",
+		"legacy": "ss://" + base64.StdEncoding.EncodeToString([]byte("aes-256-gcm:[email protected]:notaport")) + "#node",
+	}
+	for name, link := range cases {
+		t.Run(name, func(t *testing.T) {
+			if _, err := ParseLink(link); err == nil {
+				t.Errorf("expected parse error for non-numeric port, got nil")
+			}
+		})
+	}
+}
+
 func TestParseSubscriptionBody_Base64(t *testing.T) {
 	// base64 of the two joined links:
 	// vless://u@h:443?type=tcp#A\nvless://u2@h2:443?type=tcp#B