Xss

lib/version/version.go

@@ -1,6 +1,6 @@
 package version
 
-const VERSION = "0.22.0"
+const VERSION = "0.22.1"
 
 // Compulsory minimum version, Minimum downward compatibility to this version
 func GetVersion() string {

server/proxy/http.go

@@ -249,7 +249,7 @@ func (s *httpServer) httpHandle(c *conn.Conn, r *http.Request) {
 		reqCh <- r
 	}
 end:
-	if isConn {
+	if !readReq {
 		s.writeConnFail(c.Conn)
 	}
 	c.Close()

web/controllers/base.go

@@ -6,6 +6,7 @@ import (
 	"github.com/cnlh/nps/lib/file"
 	"github.com/cnlh/nps/server"
 	"github.com/cnlh/nps/vender/github.com/astaxie/beego"
+	"html"
 	"math"
 	"strconv"
 	"strings"
@@ -26,7 +27,7 @@ func (s *BaseController) Prepare() {
 	// web api verify
 	// param 1 is md5(authKey+Current timestamp)
 	// param 2 is timestamp (It's limited to 20 seconds.)
-	md5Key := s.GetString("auth_key")
+	md5Key := s.getEscapeString("auth_key")
 	timestamp := s.GetIntNoErr("timestamp")
 	configKey := beego.AppConfig.String("auth_key")
 	timeNowUnix := time.Now().Unix()
@@ -85,6 +86,11 @@ func (s *BaseController) error() {
 	s.TplName = "public/error.html"
 }
 
+//getEscapeString
+func (s *BaseController) getEscapeString(key string) string {
+	return html.EscapeString(s.GetString(key))
+}
+
 //去掉没有err返回值的int
 func (s *BaseController) GetIntNoErr(key string, def ...int) int {
 	strv := s.Ctx.Input.Query(key)

web/controllers/client.go

@@ -27,7 +27,7 @@ func (s *ClientController) List() {
 	} else {
 		clientId = clientIdSession.(int)
 	}
-	list, cnt := server.GetClientList(start, length, s.GetString("search"), s.GetString("sort"), s.GetString("order"), clientId)
+	list, cnt := server.GetClientList(start, length, s.getEscapeString("search"), s.getEscapeString("sort"), s.getEscapeString("order"), clientId)
 	s.AjaxTable(list, cnt, cnt)
 }
 
@@ -39,21 +39,21 @@ func (s *ClientController) Add() {
 		s.display()
 	} else {
 		t := &file.Client{
-			VerifyKey: s.GetString("vkey"),
+			VerifyKey: s.getEscapeString("vkey"),
 			Id:        int(file.GetDb().JsonDb.GetClientId()),
 			Status:    true,
-			Remark:    s.GetString("remark"),
+			Remark:    s.getEscapeString("remark"),
 			Cnf: &file.Config{
-				U:        s.GetString("u"),
+				U:        s.getEscapeString("u"),
-				P:        s.GetString("p"),
+				P:        s.getEscapeString("p"),
-				Compress: common.GetBoolByStr(s.GetString("compress")),
+				Compress: common.GetBoolByStr(s.getEscapeString("compress")),
 				Crypt:    s.GetBoolNoErr("crypt"),
 			},
 			ConfigConnAllow: s.GetBoolNoErr("config_conn_allow"),
 			RateLimit:       s.GetIntNoErr("rate_limit"),
 			MaxConn:         s.GetIntNoErr("max_conn"),
-			WebUserName:     s.GetString("web_username"),
+			WebUserName:     s.getEscapeString("web_username"),
-			WebPassword:     s.GetString("web_password"),
+			WebPassword:     s.getEscapeString("web_password"),
 			MaxTunnelNum:    s.GetIntNoErr("max_tunnel"),
 			Flow: &file.Flow{
 				ExportFlow: 0,
@@ -102,33 +102,33 @@ func (s *ClientController) Edit() {
 		if c, err := file.GetDb().GetClient(id); err != nil {
 			s.error()
 		} else {
-			if s.GetString("web_username") != "" {
+			if s.getEscapeString("web_username") != "" {
-				if s.GetString("web_username") == beego.AppConfig.String("web_username") || !file.GetDb().VerifyUserName(s.GetString("web_username"), c.Id) {
+				if s.getEscapeString("web_username") == beego.AppConfig.String("web_username") || !file.GetDb().VerifyUserName(s.getEscapeString("web_username"), c.Id) {
 					s.AjaxErr("web login username duplicate, please reset")
 					return
 				}
 			}
 			if s.GetSession("isAdmin").(bool) {
-				if !file.GetDb().VerifyVkey(s.GetString("vkey"), c.Id) {
+				if !file.GetDb().VerifyVkey(s.getEscapeString("vkey"), c.Id) {
 					s.AjaxErr("Vkey duplicate, please reset")
 					return
 				}
-				c.VerifyKey = s.GetString("vkey")
+				c.VerifyKey = s.getEscapeString("vkey")
 				c.Flow.FlowLimit = int64(s.GetIntNoErr("flow_limit"))
 				c.RateLimit = s.GetIntNoErr("rate_limit")
 				c.MaxConn = s.GetIntNoErr("max_conn")
 				c.MaxTunnelNum = s.GetIntNoErr("max_tunnel")
 			}
-			c.Remark = s.GetString("remark")
+			c.Remark = s.getEscapeString("remark")
-			c.Cnf.U = s.GetString("u")
+			c.Cnf.U = s.getEscapeString("u")
-			c.Cnf.P = s.GetString("p")
+			c.Cnf.P = s.getEscapeString("p")
-			c.Cnf.Compress = common.GetBoolByStr(s.GetString("compress"))
+			c.Cnf.Compress = common.GetBoolByStr(s.getEscapeString("compress"))
 			c.Cnf.Crypt = s.GetBoolNoErr("crypt")
 			b, err := beego.AppConfig.Bool("allow_user_change_username")
 			if s.GetSession("isAdmin").(bool) || (err == nil && b) {
-				c.WebUserName = s.GetString("web_username")
+				c.WebUserName = s.getEscapeString("web_username")
 			}
-			c.WebPassword = s.GetString("web_password")
+			c.WebPassword = s.getEscapeString("web_password")
 			c.ConfigConnAllow = s.GetBoolNoErr("config_conn_allow")
 			if c.Rate != nil {
 				c.Rate.Stop()

web/controllers/index.go

@@ -68,7 +68,7 @@ func (s *IndexController) Host() {
 
 func (s *IndexController) All() {
 	s.Data["menu"] = "client"
-	clientId := s.GetString("client_id")
+	clientId := s.getEscapeString("client_id")
 	s.Data["client_id"] = clientId
 	s.SetInfo("client id:" + clientId)
 	s.display("index/list")
@@ -76,30 +76,30 @@ func (s *IndexController) All() {
 
 func (s *IndexController) GetTunnel() {
 	start, length := s.GetAjaxParams()
-	taskType := s.GetString("type")
+	taskType := s.getEscapeString("type")
 	clientId := s.GetIntNoErr("client_id")
-	list, cnt := server.GetTunnel(start, length, taskType, clientId, s.GetString("search"))
+	list, cnt := server.GetTunnel(start, length, taskType, clientId, s.getEscapeString("search"))
 	s.AjaxTable(list, cnt, cnt)
 }
 
 func (s *IndexController) Add() {
 	if s.Ctx.Request.Method == "GET" {
-		s.Data["type"] = s.GetString("type")
+		s.Data["type"] = s.getEscapeString("type")
-		s.Data["client_id"] = s.GetString("client_id")
+		s.Data["client_id"] = s.getEscapeString("client_id")
 		s.SetInfo("add tunnel")
 		s.display()
 	} else {
 		t := &file.Tunnel{
 			Port:      s.GetIntNoErr("port"),
-			ServerIp:  s.GetString("server_ip"),
+			ServerIp:  s.getEscapeString("server_ip"),
-			Mode:      s.GetString("type"),
+			Mode:      s.getEscapeString("type"),
-			Target:    &file.Target{TargetStr: s.GetString("target"), LocalProxy: s.GetBoolNoErr("local_proxy")},
+			Target:    &file.Target{TargetStr: s.getEscapeString("target"), LocalProxy: s.GetBoolNoErr("local_proxy")},
 			Id:        int(file.GetDb().JsonDb.GetTaskId()),
 			Status:    true,
-			Remark:    s.GetString("remark"),
+			Remark:    s.getEscapeString("remark"),
-			Password:  s.GetString("password"),
+			Password:  s.getEscapeString("password"),
-			LocalPath: s.GetString("local_path"),
+			LocalPath: s.getEscapeString("local_path"),
-			StripPre:  s.GetString("strip_pre"),
+			StripPre:  s.getEscapeString("strip_pre"),
 			Flow:      &file.Flow{},
 		}
 		if !tool.TestServerPort(t.Port, t.Mode) {
@@ -161,14 +161,14 @@ func (s *IndexController) Edit() {
 				}
 				t.Port = s.GetIntNoErr("port")
 			}
-			t.ServerIp = s.GetString("server_ip")
+			t.ServerIp = s.getEscapeString("server_ip")
-			t.Mode = s.GetString("type")
+			t.Mode = s.getEscapeString("type")
-			t.Target = &file.Target{TargetStr: s.GetString("target")}
+			t.Target = &file.Target{TargetStr: s.getEscapeString("target")}
-			t.Password = s.GetString("password")
+			t.Password = s.getEscapeString("password")
 			t.Id = id
-			t.LocalPath = s.GetString("local_path")
+			t.LocalPath = s.getEscapeString("local_path")
-			t.StripPre = s.GetString("strip_pre")
+			t.StripPre = s.getEscapeString("strip_pre")
-			t.Remark = s.GetString("remark")
+			t.Remark = s.getEscapeString("remark")
 			t.Target.LocalProxy = s.GetBoolNoErr("local_proxy")
 			file.GetDb().UpdateTask(t)
 			server.StopServer(t.Id)
@@ -204,14 +204,14 @@ func (s *IndexController) Start() {
 
 func (s *IndexController) HostList() {
 	if s.Ctx.Request.Method == "GET" {
-		s.Data["client_id"] = s.GetString("client_id")
+		s.Data["client_id"] = s.getEscapeString("client_id")
 		s.Data["menu"] = "host"
 		s.SetInfo("host list")
 		s.display("index/hlist")
 	} else {
 		start, length := s.GetAjaxParams()
 		clientId := s.GetIntNoErr("client_id")
-		list, cnt := file.GetDb().GetHost(start, length, clientId, s.GetString("search"))
+		list, cnt := file.GetDb().GetHost(start, length, clientId, s.getEscapeString("search"))
 		s.AjaxTable(list, cnt, cnt)
 	}
 }
@@ -240,23 +240,23 @@ func (s *IndexController) DelHost() {
 
 func (s *IndexController) AddHost() {
 	if s.Ctx.Request.Method == "GET" {
-		s.Data["client_id"] = s.GetString("client_id")
+		s.Data["client_id"] = s.getEscapeString("client_id")
 		s.Data["menu"] = "host"
 		s.SetInfo("add host")
 		s.display("index/hadd")
 	} else {
 		h := &file.Host{
 			Id:           int(file.GetDb().JsonDb.GetHostId()),
-			Host:         s.GetString("host"),
+			Host:         s.getEscapeString("host"),
-			Target:       &file.Target{TargetStr: s.GetString("target"), LocalProxy: s.GetBoolNoErr("local_proxy")},
+			Target:       &file.Target{TargetStr: s.getEscapeString("target"), LocalProxy: s.GetBoolNoErr("local_proxy")},
-			HeaderChange: s.GetString("header"),
+			HeaderChange: s.getEscapeString("header"),
-			HostChange:   s.GetString("hostchange"),
+			HostChange:   s.getEscapeString("hostchange"),
-			Remark:       s.GetString("remark"),
+			Remark:       s.getEscapeString("remark"),
-			Location:     s.GetString("location"),
+			Location:     s.getEscapeString("location"),
 			Flow:         &file.Flow{},
-			Scheme:       s.GetString("scheme"),
+			Scheme:       s.getEscapeString("scheme"),
-			KeyFilePath:  s.GetString("key_file_path"),
+			KeyFilePath:  s.getEscapeString("key_file_path"),
-			CertFilePath: s.GetString("cert_file_path"),
+			CertFilePath: s.getEscapeString("cert_file_path"),
 		}
 		var err error
 		if h.Client, err = file.GetDb().GetClient(s.GetIntNoErr("client_id")); err != nil {
@@ -284,11 +284,11 @@ func (s *IndexController) EditHost() {
 		if h, err := file.GetDb().GetHostById(id); err != nil {
 			s.error()
 		} else {
-			if h.Host != s.GetString("host") {
+			if h.Host != s.getEscapeString("host") {
 				tmpHost := new(file.Host)
-				tmpHost.Host = s.GetString("host")
+				tmpHost.Host = s.getEscapeString("host")
-				tmpHost.Location = s.GetString("location")
+				tmpHost.Location = s.getEscapeString("location")
-				tmpHost.Scheme = s.GetString("scheme")
+				tmpHost.Scheme = s.getEscapeString("scheme")
 				if file.GetDb().IsHostExist(tmpHost) {
 					s.AjaxErr("host has exist")
 					return
@@ -299,15 +299,15 @@ func (s *IndexController) EditHost() {
 			} else {
 				h.Client = client
 			}
-			h.Host = s.GetString("host")
+			h.Host = s.getEscapeString("host")
-			h.Target = &file.Target{TargetStr: s.GetString("target")}
+			h.Target = &file.Target{TargetStr: s.getEscapeString("target")}
-			h.HeaderChange = s.GetString("header")
+			h.HeaderChange = s.getEscapeString("header")
-			h.HostChange = s.GetString("hostchange")
+			h.HostChange = s.getEscapeString("hostchange")
-			h.Remark = s.GetString("remark")
+			h.Remark = s.getEscapeString("remark")
-			h.Location = s.GetString("location")
+			h.Location = s.getEscapeString("location")
-			h.Scheme = s.GetString("scheme")
+			h.Scheme = s.getEscapeString("scheme")
-			h.KeyFilePath = s.GetString("key_file_path")
+			h.KeyFilePath = s.getEscapeString("key_file_path")
-			h.CertFilePath = s.GetString("cert_file_path")
+			h.CertFilePath = s.getEscapeString("cert_file_path")
 			h.Target.LocalProxy = s.GetBoolNoErr("local_proxy")
 			file.GetDb().JsonDb.StoreHostToJsonFile()
 		}