inbound_finalmask_reality_test.go 5.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157
  1. package service
  2. import (
  3. "encoding/json"
  4. "testing"
  5. "github.com/mhsanaei/3x-ui/v3/internal/database"
  6. "github.com/mhsanaei/3x-ui/v3/internal/database/model"
  7. )
  8. const realityFinalMaskStream = `{"network":"tcp","security":"reality","realitySettings":{},"finalmask":{"tcp":[{"type":"fragment","settings":{"packets":"tlshello"}}]}}`
  9. func TestValidateFinalMaskRealityCombo(t *testing.T) {
  10. tests := []struct {
  11. name string
  12. streamSettings string
  13. wantErr bool
  14. }{
  15. {
  16. name: "empty streamSettings",
  17. streamSettings: "",
  18. wantErr: false,
  19. },
  20. {
  21. name: "reality without finalmask",
  22. streamSettings: `{"security":"reality","realitySettings":{}}`,
  23. wantErr: false,
  24. },
  25. {
  26. name: "reality with empty finalmask",
  27. streamSettings: `{"security":"reality","finalmask":{"tcp":[],"udp":[]}}`,
  28. wantErr: false,
  29. },
  30. {
  31. name: "reality with tcp fragment finalmask",
  32. streamSettings: `{"security":"reality","finalmask":{"tcp":[{"type":"fragment","settings":{"packets":"tlshello"}}]}}`,
  33. wantErr: true,
  34. },
  35. {
  36. // UDP masks never touch the TCP accept path REALITY runs on —
  37. // TcpmaskManager (the thing that wraps the listener ahead of
  38. // REALITY's handshake) is only built when tcp masks are present,
  39. // so a udp-only config doesn't reproduce the panic and shouldn't
  40. // be rejected.
  41. name: "reality with udp-only finalmask (does not reproduce the panic)",
  42. streamSettings: `{"security":"reality","finalmask":{"udp":[{"type":"salamander"}]}}`,
  43. wantErr: false,
  44. },
  45. {
  46. name: "non-reality security with finalmask",
  47. streamSettings: `{"security":"tls","finalmask":{"tcp":[{"type":"fragment","settings":{"packets":"tlshello"}}]}}`,
  48. wantErr: false,
  49. },
  50. }
  51. for _, tt := range tests {
  52. t.Run(tt.name, func(t *testing.T) {
  53. err := validateFinalMaskRealityCombo(tt.streamSettings)
  54. if (err != nil) != tt.wantErr {
  55. t.Errorf("validateFinalMaskRealityCombo(%q) error = %v, wantErr %v", tt.streamSettings, err, tt.wantErr)
  56. }
  57. })
  58. }
  59. }
  60. // end-to-end: the guard must actually be wired into AddInbound, not just
  61. // exist as a standalone helper a caller could forget to invoke.
  62. func TestAddInbound_RejectsFinalMaskRealityCombo(t *testing.T) {
  63. setupConflictDB(t)
  64. svc := &InboundService{}
  65. in := &model.Inbound{
  66. Tag: "in-44300-tcp",
  67. Enable: true,
  68. Listen: "0.0.0.0",
  69. Port: 44300,
  70. Protocol: model.VLESS,
  71. StreamSettings: realityFinalMaskStream,
  72. Settings: `{"clients":[]}`,
  73. }
  74. if _, _, err := svc.AddInbound(in); err == nil {
  75. t.Fatal("AddInbound: want error for finalmask+reality, got nil")
  76. }
  77. var count int64
  78. if err := database.GetDB().Model(&model.Inbound{}).Where("tag = ?", "in-44300-tcp").Count(&count).Error; err != nil {
  79. t.Fatalf("count rows: %v", err)
  80. }
  81. if count != 0 {
  82. t.Fatalf("AddInbound: rejected inbound was persisted anyway, row count = %d", count)
  83. }
  84. }
  85. // end-to-end: same guard on the update path, on a row that was valid before
  86. // the edit — the rejected StreamSettings must not overwrite the stored row.
  87. func TestUpdateInbound_RejectsFinalMaskRealityCombo(t *testing.T) {
  88. setupConflictDB(t)
  89. seedInboundConflict(t, "in-44301-tcp", "0.0.0.0", 44301, model.VLESS,
  90. `{"network":"tcp","security":"reality","realitySettings":{}}`, `{"clients":[]}`)
  91. var existing model.Inbound
  92. if err := database.GetDB().Where("tag = ?", "in-44301-tcp").First(&existing).Error; err != nil {
  93. t.Fatalf("read seeded row: %v", err)
  94. }
  95. svc := &InboundService{}
  96. update := existing
  97. update.StreamSettings = realityFinalMaskStream
  98. if _, _, err := svc.UpdateInbound(&update); err == nil {
  99. t.Fatal("UpdateInbound: want error for finalmask+reality, got nil")
  100. }
  101. var reloaded model.Inbound
  102. if err := database.GetDB().First(&reloaded, existing.Id).Error; err != nil {
  103. t.Fatalf("reload: %v", err)
  104. }
  105. if reloaded.StreamSettings != existing.StreamSettings {
  106. t.Fatalf("UpdateInbound: rejected StreamSettings was persisted anyway\ngot: %s\nwant: %s", reloaded.StreamSettings, existing.StreamSettings)
  107. }
  108. }
  109. // GetXrayConfig must heal a row that already carries finalmask+reality in the
  110. // DB (saved before this guard existed - an upgrade, a node sync, a restored
  111. // backup, or a direct DB edit) rather than handing xray-core a config that
  112. // panics it on the first connection. Bypasses AddInbound/UpdateInbound
  113. // entirely by writing the row directly, the same way a pre-existing bad row
  114. // would already be sitting in a real database.
  115. func TestGetXrayConfig_HealsFinalMaskRealityCombo(t *testing.T) {
  116. setupConflictDB(t)
  117. seedInboundConflict(t, "in-44302-tcp", "0.0.0.0", 44302, model.VLESS,
  118. realityFinalMaskStream, `{"clients":[]}`)
  119. svc := &XrayService{}
  120. cfg, err := svc.GetXrayConfig()
  121. if err != nil {
  122. t.Fatalf("GetXrayConfig: %v", err)
  123. }
  124. for i := range cfg.InboundConfigs {
  125. ic := cfg.InboundConfigs[i]
  126. if ic.Tag != "in-44302-tcp" {
  127. continue
  128. }
  129. var stream map[string]any
  130. if err := json.Unmarshal(ic.StreamSettings, &stream); err != nil {
  131. t.Fatalf("unmarshal emitted streamSettings: %v", err)
  132. }
  133. if stream["security"] != "reality" {
  134. t.Fatalf("security = %v, want reality (test setup broken)", stream["security"])
  135. }
  136. if _, has := stream["finalmask"]; has {
  137. t.Fatalf("emitted config still carries finalmask alongside reality — this crashes Xray-core: %v", stream["finalmask"])
  138. }
  139. return
  140. }
  141. t.Fatalf("inbound in-44302-tcp not found in generated config")
  142. }