GithubBackup/BackupX
1
0
Fork 0
mirror of https://github.com/Awuqing/BackupX.git synced 2026-05-28 04:39:38 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
e63b8f0be8895c9a7dfa70481d7dc731031ca827
BackupX/server/internal/notify/email.go
Wu Qing 17f4ec63ae fix: 后端直接托管 Web 控制台修复 #62,并修复 CodeQL 安全告警 (#70) 
* fix(server): 后端直接托管 Web 控制台,修复无 nginx 时 404 (#62)

问题 #62:在未安装 nginx 的服务器上,访问 :8340/ 返回
"route not found"(404),Web 控制台完全无法打开;同时 systemd
服务以 backupx 用户启动时因无权读取 root:root 0640 的配置文件
而反复退出(exit 1)。

修复:
- 后端新增 SPA 静态托管:自动探测前端目录(./web、./web/dist、
  /opt/backupx/web 等,或 server.web_root 显式指定),命中后直接
  提供静态文件与 index.html 回退,无需额外 nginx 反向代理即可访问
  控制台。/api、/health、/metrics、/install 等保留前缀仍返回结构化
  JSON 404,不会被 SPA 回退污染(沿用 issue #46 的约定)。
- 含 ".." 的请求路径由文件服务层直接拒绝,叠加 filepath.Rel 容器
  校验,杜绝目录穿越。
- install.sh 以 backupx:backupx 安装配置文件并显式 chown,修复历史
  版本 root:root 0640 导致服务无法读取配置而启动失败的问题;安装
  完成提示同步说明可直接通过 :8340 访问,并给出 journalctl 排查命令。
- 新增 spa_test.go 覆盖目录探测、保留前缀判定、SPA 回退与穿越防护。

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(security): 修复邮件头注入,加固 webhook 与整数转换

CodeQL 静态扫描在 main 上的真实告警修复:
- 邮件通知(email.go):From/To/Subject 头部此前直接拼接用户可控
  内容(备份任务名会进入 Subject),存在 SMTP 头注入风险(可注入
  Bcc 等额外头部或伪造正文)。新增 buildRawMessage/sanitizeHeaderValue
  剔除头部值中的 CR/LF;正文保持原样。新增 email_test.go 覆盖。
- webhook 通知(webhook.go):Validate 增加 URL 解析与 http/https
  协议校验,杜绝 file://、gopher:// 等可用于 SSRF 的协议。
- 整数转换(auth_service.go、storage_target_handler.go、
  backup_record_handler.go):将 ParseUint 的 bitSize 由 64 改为 0
  (即 uint 宽度),消除 uint64→uint 的潜在截断(32 位平台上为越界
  拒绝而非静默截断),并清除 go/incorrect-integer-conversion 告警。

注:archive.go/file_runner.go 的 zipslip 告警为误报(已有 HasPrefix
容器校验且不解压符号链接);node FS 浏览与 webhook 目标主机由设计上
的鉴权用户控制,不在本次行为变更范围内。

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 12:50:57 +08:00

116 lines
3.6 KiB
Go
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
package notify
import (
"context"
"crypto/tls"
"fmt"
"net/smtp"
"strconv"
"strings"
)
type EmailNotifier struct{}
func NewEmailNotifier() *EmailNotifier { return &EmailNotifier{} }
func (n *EmailNotifier) Type() string { return "email" }
func (n *EmailNotifier) SensitiveFields() []string { return []string{"password"} }
func (n *EmailNotifier) Validate(config map[string]any) error {
host := strings.TrimSpace(asString(config["host"]))
port := asInt(config["port"])
from := strings.TrimSpace(asString(config["from"]))
to := strings.TrimSpace(asString(config["to"]))
if host == "" || port <= 0 || from == "" || to == "" {
return fmt.Errorf("email host/port/from/to are required")
}
return nil
}
func (n *EmailNotifier) Send(_ context.Context, config map[string]any, message Message) error {
if err := n.Validate(config); err != nil {
return err
}
host := strings.TrimSpace(asString(config["host"]))
port := asInt(config["port"])
username := strings.TrimSpace(asString(config["username"]))
password := strings.TrimSpace(asString(config["password"]))
from := strings.TrimSpace(asString(config["from"]))
toList := splitCommaValues(asString(config["to"]))
address := host + ":" + strconv.Itoa(port)
var auth smtp.Auth
if username != "" {
auth = smtp.PlainAuth("", username, password, host)
}
rawMessage := buildRawMessage(from, toList, message)
if port == 465 {
tlsConfig := &tls.Config{ServerName: host}
conn, err := tls.Dial("tcp", address, tlsConfig)
if err != nil {
return fmt.Errorf("dial tls for smtp port 465 failed: %w", err)
}
client, err := smtp.NewClient(conn, host)
if err != nil {
return fmt.Errorf("create smtp client over tls failed: %w", err)
}
defer client.Close()
if auth != nil {
if ok, _ := client.Extension("AUTH"); ok {
if err = client.Auth(auth); err != nil {
return fmt.Errorf("smtp auth failed: %w", err)
}
}
}
if err = client.Mail(from); err != nil {
return fmt.Errorf("smtp mail from failed: %w", err)
}
for _, toAddr := range toList {
if err = client.Rcpt(toAddr); err != nil {
return fmt.Errorf("smtp rcpt failed for %s: %w", toAddr, err)
}
}
writer, err := client.Data()
if err != nil {
return fmt.Errorf("smtp data failed: %w", err)
}
if _, err = writer.Write(rawMessage); err != nil {
return fmt.Errorf("smtp write message failed: %w", err)
}
if err = writer.Close(); err != nil {
return fmt.Errorf("smtp data close failed: %w", err)
}
return client.Quit()
}
return smtp.SendMail(address, auth, from, toList, rawMessage)
}
// buildRawMessage 构造 RFC 5322 邮件原文。所有头部值都会剔除 CR/LF
// 防止 SMTP 头注入:备份任务名等用户可控内容会进入 Subject若包含
// 换行符可被用来注入额外头部(如 Bcc或伪造正文。正文本身不做处理
// 允许包含换行。
func buildRawMessage(from string, toList []string, message Message) []byte {
sanitizedTo := make([]string, 0, len(toList))
for _, addr := range toList {
if s := sanitizeHeaderValue(addr); s != "" {
sanitizedTo = append(sanitizedTo, s)
}
}
headers := []string{
"From: " + sanitizeHeaderValue(from),
"To: " + strings.Join(sanitizedTo, ", "),
"Subject: " + sanitizeHeaderValue(message.Title),
"MIME-Version: 1.0",
"Content-Type: text/plain; charset=UTF-8",
"",
message.Body,
}
return []byte(strings.Join(headers, "\r\n"))
}
// sanitizeHeaderValue 移除头部值中的 CR 与 LF消除头注入向量。
func sanitizeHeaderValue(value string) string {
return strings.NewReplacer("\r", "", "\n", "").Replace(strings.TrimSpace(value))
}
Reference in New Issue View Git Blame Copy Permalink