diff options
| author | mhsanaei <ho3ein.sanaei@gmail.com> | 2025-09-21 18:39:30 +0300 |
|---|---|---|
| committer | mhsanaei <ho3ein.sanaei@gmail.com> | 2025-09-21 18:39:30 +0300 |
| commit | eacfbc86b5f7ba08c4be1bdf14a3d552aeb1874b (patch) | |
| tree | f2c83ddd5f69867292a8ee8a506c9cc07ddd700b /web/service/server.go | |
| parent | 37c17357fc45b9acec387f3097be5db074ce880d (diff) | |
security fix: Command built from user-controlled sources CWE-78
https://cwe.mitre.org/data/definitions/78.html
https://owasp.org/www-community/attacks/Command_Injection
Diffstat (limited to 'web/service/server.go')
| -rw-r--r-- | web/service/server.go | 35 |
1 files changed, 30 insertions, 5 deletions
diff --git a/web/service/server.go b/web/service/server.go index 9fe42e2c..5fea423b 100644 --- a/web/service/server.go +++ b/web/service/server.go @@ -697,14 +697,39 @@ func (s *ServerService) GetLogs(count string, level string, syslog string) []str var lines []string if syslog == "true" { - cmdArgs := []string{"journalctl", "-u", "x-ui", "--no-pager", "-n", count, "-p", level} - // Run the command - cmd := exec.Command(cmdArgs[0], cmdArgs[1:]...) + // Check if running on Windows - journalctl is not available + if runtime.GOOS == "windows" { + return []string{"Syslog is not supported on Windows. Please use application logs instead by unchecking the 'Syslog' option."} + } + + // Validate and sanitize count parameter + countInt, err := strconv.Atoi(count) + if err != nil || countInt < 1 || countInt > 10000 { + return []string{"Invalid count parameter - must be a number between 1 and 10000"} + } + + // Validate level parameter - only allow valid syslog levels + validLevels := map[string]bool{ + "0": true, "emerg": true, + "1": true, "alert": true, + "2": true, "crit": true, + "3": true, "err": true, + "4": true, "warning": true, + "5": true, "notice": true, + "6": true, "info": true, + "7": true, "debug": true, + } + if !validLevels[level] { + return []string{"Invalid level parameter - must be a valid syslog level"} + } + + // Use hardcoded command with validated parameters + cmd := exec.Command("journalctl", "-u", "x-ui", "--no-pager", "-n", strconv.Itoa(countInt), "-p", level) var out bytes.Buffer cmd.Stdout = &out - err := cmd.Run() + err = cmd.Run() if err != nil { - return []string{"Failed to run journalctl command!"} + return []string{"Failed to run journalctl command! Make sure systemd is available and x-ui service is registered."} } lines = strings.Split(out.String(), "\n") } else { |