From c2f409c3c470b677cf9a885767ccd3a13b0f6c28 Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Mon, 9 Feb 2026 22:56:21 +0100 Subject: fix security issue --- web/controller/xray_setting.go | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'web/controller/xray_setting.go') diff --git a/web/controller/xray_setting.go b/web/controller/xray_setting.go index a48726de..5b7a0e26 100644 --- a/web/controller/xray_setting.go +++ b/web/controller/xray_setting.go @@ -56,9 +56,17 @@ func (a *XraySettingController) getXraySetting(c *gin.Context) { if outboundTestUrl == "" { outboundTestUrl = "https://www.google.com/generate_204" } - urlJSON, _ := json.Marshal(outboundTestUrl) - xrayResponse := "{ \"xraySetting\": " + xraySetting + ", \"inboundTags\": " + inboundTags + ", \"outboundTestUrl\": " + string(urlJSON) + " }" - jsonObj(c, xrayResponse, nil) + xrayResponse := map[string]interface{}{ + "xraySetting": json.RawMessage(xraySetting), + "inboundTags": json.RawMessage(inboundTags), + "outboundTestUrl": outboundTestUrl, + } + result, err := json.Marshal(xrayResponse) + if err != nil { + jsonMsg(c, I18nWeb(c, "pages.settings.toasts.getSettings"), err) + return + } + jsonObj(c, string(result), nil) } // updateSetting updates the Xray configuration settings. @@ -140,7 +148,6 @@ func (a *XraySettingController) resetOutboundsTraffic(c *gin.Context) { // Optional form "allOutbounds": JSON array of all outbounds; used to resolve sockopt.dialerProxy dependencies. func (a *XraySettingController) testOutbound(c *gin.Context) { outboundJSON := c.PostForm("outbound") - testURL := c.PostForm("testURL") allOutboundsJSON := c.PostForm("allOutbounds") if outboundJSON == "" { @@ -148,6 +155,9 @@ func (a *XraySettingController) testOutbound(c *gin.Context) { return } + // Load the test URL from server settings to prevent SSRF via user-controlled URLs + testURL, _ := a.SettingService.GetXrayOutboundTestUrl() + result, err := a.OutboundService.TestOutbound(outboundJSON, testURL, allOutboundsJSON) if err != nil { jsonMsg(c, I18nWeb(c, "somethingWentWrong"), err) -- cgit v1.2.3