Página inicial Explorar Ajuda
Entrar
txlyre
/
3x-ui
mirror de https://github.com/MHSanaei/3x-ui
1
0
Fork 0
Arquivos Issues 0 Wiki
Tree: 37c5e0bfd2
Branches Tags
3x-ui
/
internal
/
web
/
middleware
/
config_envelope.go

config_envelope.go 2.0 KB
Histórico Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 
  1. package middleware
    2. 

  2. 

  3. import (
    4. 

  4. 	"bytes"
    5. 

  5. 	"crypto/subtle"
    6. 

  6. 	"io"
    7. 

  7. 	"net/http"
    8. 

  8. 

  9. 	"github.com/gin-gonic/gin"
    10. 

  10. 

  11. 	"github.com/mhsanaei/3x-ui/v3/internal/util/wirecodec"
    12. 

  12. )
    13. 

  13. 

  14. // maxDecodedConfigBytes caps a decompressed request body (defense in depth on
    15. 

  15. // top of wirecodec's own ceiling).
    16. 

  16. const maxDecodedConfigBytes = 8 << 20
    17. 

  17. 

  18. // ConfigEnvelopeMiddleware advertises node envelope support on every response
    19. 

  19. // and, for requests that opt into the envelope, decompresses (zstd) and verifies
    20. 

  20. // the X-Config-Sha256 integrity hash before the body reaches the handler. A
    21. 

  21. // request carrying neither envelope header passes through untouched, so old
    22. 

  22. // panels and plain calls keep working (mixed-version safe).
    23. 

  23. func ConfigEnvelopeMiddleware() gin.HandlerFunc {
    24. 

  24. 	return func(c *gin.Context) {
    25. 

  25. 		c.Header(wirecodec.CapsHeader, wirecodec.CapZstd)
    26. 

  26. 

  27. 		enc := c.GetHeader("Content-Encoding")
    28. 

  28. 		sum := c.GetHeader(wirecodec.HashHeader)
    29. 

  29. 		if enc != wirecodec.EncodingZstd && sum == "" {
    30. 

  30. 			c.Next()
    31. 

  31. 			return
    32. 

  32. 		}
    33. 

  33. 

  34. 		// On the envelope path, zstd is the only encoding we understand. Reject any
    35. 

  35. 		// other Content-Encoding rather than hashing/forwarding a still-encoded body
    36. 

  36. 		// the downstream handler can't read.
    37. 

  37. 		if enc != "" && enc != wirecodec.EncodingZstd {
    38. 

  38. 			c.AbortWithStatus(http.StatusUnsupportedMediaType)
    39. 

  39. 			return
    40. 

  40. 		}
    41. 

  41. 

  42. 		raw, err := io.ReadAll(c.Request.Body)
    43. 

  43. 		if err != nil {
    44. 

  44. 			c.AbortWithStatus(http.StatusBadRequest)
    45. 

  45. 			return
    46. 

  46. 		}
    47. 

  47. 		_ = c.Request.Body.Close()
    48. 

  48. 

  49. 		if enc == wirecodec.EncodingZstd {
    50. 

  50. 			decoded, derr := wirecodec.Decompress(raw, maxDecodedConfigBytes)
    51. 

  51. 			if derr != nil {
    52. 

  52. 				c.AbortWithStatus(http.StatusBadRequest)
    53. 

  53. 				return
    54. 

  54. 			}
    55. 

  55. 			raw = decoded
    56. 

  56. 			c.Request.Header.Del("Content-Encoding")
    57. 

  57. 		}
    58. 

  58. 

  59. 		if sum != "" {
    60. 

  60. 			got := wirecodec.Sha256Hex(raw)
    61. 

  61. 			if subtle.ConstantTimeCompare([]byte(got), []byte(sum)) != 1 {
    62. 

  62. 				c.AbortWithStatus(http.StatusBadRequest)
    63. 

  63. 				return
    64. 

  64. 			}
    65. 

  65. 		}
    66. 

  66. 

  67. 		c.Request.Body = io.NopCloser(bytes.NewReader(raw))
    68. 

  68. 		c.Request.ContentLength = int64(len(raw))
    69. 

  69. 		c.Next()
    70. 

  70. 	}
    71. 

  71. }
    72.