From 00ec07b88add8d805087e0558b052f9f57f78b3d Mon Sep 17 00:00:00 2001 From: hotyue <52734432+hotyue@users.noreply.github.com> Date: Fri, 10 Apr 2026 14:49:06 +0000 Subject: [PATCH] =?UTF-8?q?security(master):=20=E4=BF=AE=E5=A4=8D=E9=AB=98?= =?UTF-8?q?=E5=8D=B1=20SQL=20=E6=B3=A8=E5=85=A5=E6=BC=8F=E6=B4=9E=EF=BC=8C?= =?UTF-8?q?=E9=87=8D=E6=9E=84=E5=9B=9E=E8=B0=83=E4=BA=A4=E4=BA=92=E6=B6=88?= =?UTF-8?q?=E9=99=A4=E9=9D=A2=E6=9D=BF=E5=BB=B6=E8=BF=9F=E4=B8=8E=E5=88=B7?= =?UTF-8?q?=E5=B1=8F=20(v3.0.1)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- master/tg_master.sh | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/master/tg_master.sh b/master/tg_master.sh index 884d49f..d529728 100755 --- a/master/tg_master.sh +++ b/master/tg_master.sh @@ -60,12 +60,24 @@ while true; do fi # ========================================== - # 1. 节点注册通道 + # 1. 节点注册通道 (v3.0.1 终极防注入补丁) # ========================================== if [[ "$TEXT" == *"#REGISTER#"* ]]; then REG_LINE=$(echo "$TEXT" | grep "#REGISTER#" | head -n 1 | tr -d '\` ') - IFS='|' read -r MAGIC NODE_NAME AGENT_IP AGENT_PORT <<< "$REG_LINE" + IFS='|' read -r MAGIC RAW_NODE RAW_IP RAW_PORT <<< "$REG_LINE" + # 🛡️ 强制字符白名单过滤:物理抹杀所有 SQL 注入特殊字符 + CHAT_ID=$(echo "$CHAT_ID" | tr -cd '0-9-') # ChatID 只能是数字和负号 + NODE_NAME=$(echo "$RAW_NODE" | tr -cd 'a-zA-Z0-9_.-' | cut -c 1-30) # 节点名限字母数字横杠下划线 + AGENT_IP=$(echo "$RAW_IP" | tr -cd 'a-zA-Z0-9.:\[\]-' | cut -c 1-50) # IP 格式限制 + AGENT_PORT=$(echo "$RAW_PORT" | tr -cd '0-9' | cut -c 1-5) # 端口只能是数字 + + # 异常拦截:如果核心字段被过滤成了空值,说明是恶意请求,直接抛弃 + if [ -z "$NODE_NAME" ] || [ -z "$AGENT_IP" ] || [ -z "$AGENT_PORT" ] || [ -z "$CHAT_ID" ]; then + send_msg "$CHAT_ID" "⛔ **安全拦截**:检测到非法注册载荷,请求已拒绝。" + continue + fi + db_exec "INSERT INTO nodes (chat_id, node_name, agent_ip, agent_port, last_seen) VALUES ('$CHAT_ID', '$NODE_NAME', '$AGENT_IP', '$AGENT_PORT', CURRENT_TIMESTAMP) ON CONFLICT(chat_id, node_name) DO UPDATE SET agent_ip='$AGENT_IP', agent_port='$AGENT_PORT', last_seen=CURRENT_TIMESTAMP;" send_msg "$CHAT_ID" "✅ 司令部已确认!节点接入成功: \`$NODE_NAME\` ($AGENT_IP:$AGENT_PORT)" continue @@ -107,14 +119,18 @@ while true; do ;; manage:*) - TARGET_NODE=${TEXT#*:} + # 🛡️ 强制过滤节点名,防止面板渲染时发生 XSS 或注入 + TARGET_NODE=$(echo "${TEXT#*:}" | tr -cd 'a-zA-Z0-9_.-') # 【核心升级】拆分下发按钮,精准对应 Google 与 Trust 两个模块,并排版为 3 行 2 列 BTNS="[[{\"text\":\"📍 Google 纠偏\",\"callback_data\":\"google:$TARGET_NODE\"}, {\"text\":\"🛡️ 信用净化\",\"callback_data\":\"trust:$TARGET_NODE\"}], [{\"text\":\"📜 实时日志\",\"callback_data\":\"log:$TARGET_NODE\"}, {\"text\":\"📊 统计战报\",\"callback_data\":\"report:$TARGET_NODE\"}], [{\"text\":\"🗑️ 剔除失联节点\",\"callback_data\":\"del:$TARGET_NODE\"}, {\"text\":\"⬅️ 返回主列表\",\"callback_data\":\"list_nodes\"}]]" send_ui "$CHAT_ID" "⚙️ **目标锁定**: \`$TARGET_NODE\`\n请选择战术动作:" "$BTNS" ;; del:*) - TARGET_NODE=${TEXT#*:} + # 🛡️ 提取并强制过滤节点名与 CHAT_ID 防注入 + TARGET_NODE=$(echo "${TEXT#*:}" | tr -cd 'a-zA-Z0-9_.-') + CHAT_ID=$(echo "$CHAT_ID" | tr -cd '0-9-') + db_exec "DELETE FROM nodes WHERE chat_id='$CHAT_ID' AND node_name='$TARGET_NODE';" send_msg "$CHAT_ID" "🗑️ 节点 \`$TARGET_NODE\` 的档案已从司令部彻底销毁!" @@ -133,8 +149,10 @@ while true; do # 【核心升级】增加拦截规则,支持 google 和 trust 前缀 google:*|trust:*|run:*|report:*|log:*) - ACTION_TYPE=$(echo "$TEXT" | cut -d':' -f1) - TARGET_NODE=$(echo "$TEXT" | cut -d':' -f2) + # 🛡️ 提取并强制过滤动作参数、节点名与 CHAT_ID + ACTION_TYPE=$(echo "$TEXT" | cut -d':' -f1 | tr -cd 'a-z') + TARGET_NODE=$(echo "$TEXT" | cut -d':' -f2 | tr -cd 'a-zA-Z0-9_.-') + CHAT_ID=$(echo "$CHAT_ID" | tr -cd '0-9-') AGENT_INFO=$(db_exec "SELECT agent_ip, agent_port FROM nodes WHERE chat_id='$CHAT_ID' AND node_name='$TARGET_NODE' LIMIT 1;") AGENT_IP=$(echo "$AGENT_INFO" | cut -d'|' -f1)