Home Explore Help
Sign In
txlyre
/
3x-ui
mirror of https://github.com/MHSanaei/3x-ui
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

security fix: Command built from user-controlled sources CWE-78

https://cwe.mitre.org/data/definitions/78.html
https://owasp.org/www-community/attacks/Command_Injection
mhsanaei 2 days ago
parent
37c17357fc
commit
eacfbc86b5
3 changed files with 36 additions and 11 deletions
Unified View Show Diff Stats
  1. 5 5
      config/config.go
  2. 1 1
      main.go
  3. 30 5
      web/service/server.go

+ 5 - 5
config/config.go
View File 

@@ -23,11 +23,11 @@ type LogLevel string
 
 
 
 // Logging level constants
 
 // Logging level constants
 
 const (
 
 const (
 
-	Debug  LogLevel = "debug"
 
-	Info   LogLevel = "info"
 
-	Notice LogLevel = "notice"
 
-	Warn   LogLevel = "warn"
 
-	Error  LogLevel = "error"
 
+	Debug   LogLevel = "debug"
 
+	Info    LogLevel = "info"
 
+	Notice  LogLevel = "notice"
 
+	Warning LogLevel = "warning"
 
+	Error   LogLevel = "error"
 
 )
 
 )
 
 
 
 // GetVersion returns the version string of the 3x-ui application.
 
 // GetVersion returns the version string of the 3x-ui application.

+ 1 - 1
main.go
View File 

@@ -35,7 +35,7 @@ func runWebServer() {
 
 		logger.InitLogger(logging.INFO)
 
 		logger.InitLogger(logging.INFO)
 
 	case config.Notice:
 
 	case config.Notice:
 
 		logger.InitLogger(logging.NOTICE)
 
 		logger.InitLogger(logging.NOTICE)
 
-	case config.Warn:
 
+	case config.Warning:
 
 		logger.InitLogger(logging.WARNING)
 
 		logger.InitLogger(logging.WARNING)
 
 	case config.Error:
 
 	case config.Error:
 
 		logger.InitLogger(logging.ERROR)
 
 		logger.InitLogger(logging.ERROR)

+ 30 - 5
web/service/server.go
View File 

@@ -697,14 +697,39 @@ func (s *ServerService) GetLogs(count string, level string, syslog string) []str
 
 	var lines []string
 
 	var lines []string
 
 
 
 	if syslog == "true" {
 
 	if syslog == "true" {
 
-		cmdArgs := []string{"journalctl", "-u", "x-ui", "--no-pager", "-n", count, "-p", level}
 
-		// Run the command
 
-		cmd := exec.Command(cmdArgs[0], cmdArgs[1:]...)
 
+		// Check if running on Windows - journalctl is not available
 
+		if runtime.GOOS == "windows" {
 
+			return []string{"Syslog is not supported on Windows. Please use application logs instead by unchecking the 'Syslog' option."}
 
+		}
 
+
 
+		// Validate and sanitize count parameter
 
+		countInt, err := strconv.Atoi(count)
 
+		if err != nil || countInt < 1 || countInt > 10000 {
 
+			return []string{"Invalid count parameter - must be a number between 1 and 10000"}
 
+		}
 
+
 
+		// Validate level parameter - only allow valid syslog levels
 
+		validLevels := map[string]bool{
 
+			"0": true, "emerg": true,
 
+			"1": true, "alert": true,
 
+			"2": true, "crit": true,
 
+			"3": true, "err": true,
 
+			"4": true, "warning": true,
 
+			"5": true, "notice": true,
 
+			"6": true, "info": true,
 
+			"7": true, "debug": true,
 
+		}
 
+		if !validLevels[level] {
 
+			return []string{"Invalid level parameter - must be a valid syslog level"}
 
+		}
 
+
 
+		// Use hardcoded command with validated parameters
 
+		cmd := exec.Command("journalctl", "-u", "x-ui", "--no-pager", "-n", strconv.Itoa(countInt), "-p", level)
 
 		var out bytes.Buffer
 
 		var out bytes.Buffer
 
 		cmd.Stdout = &out
 
 		cmd.Stdout = &out
 
-		err := cmd.Run()
 
+		err = cmd.Run()
 
 		if err != nil {
 
 		if err != nil {
 
-			return []string{"Failed to run journalctl command!"}
 
+			return []string{"Failed to run journalctl command! Make sure systemd is available and x-ui service is registered."}
 
 		}
 
 		}
 
 		lines = strings.Split(out.String(), "\n")
 
 		lines = strings.Split(out.String(), "\n")
 
 	} else {
 
 	} else {