换成单集群模式

2026-03-02 20:07:53 +08:00
parent 5d0b7c7e91
commit 2a76d1773d
432 changed files with 5681 additions and 5095 deletions
--- a/EdgeDNS/internal/firewalls/ddos_protection.go
+++ b/EdgeDNS/internal/firewalls/ddos_protection.go
@@ -173,6 +173,10 @@ func (this *DDoSProtectionManager) addTCPRules(tcpConfig *ddosconfigs.TCPConfig)

 	var ports = []int32{}
 	for _, portConfig := range tcpConfig.Ports {
+		// 校验端口范围
+		if portConfig.Port <= 0 || portConfig.Port > 65535 {
+			continue
+		}
 		if !lists.ContainsInt32(ports, portConfig.Port) {
 			ports = append(ports, portConfig.Port)
 		}
@@ -367,7 +371,19 @@ func (this *DDoSProtectionManager) encodeUserData(attrs []string) string {
 		return ""
 	}

-	return "ZZ" + strings.Join(attrs, "_") + "ZZ"
+	// 清洗每个属性值，只保留字母、数字和横杠
+	var safeAttrs = make([]string, len(attrs))
+	for i, attr := range attrs {
+		var safe strings.Builder
+		for _, c := range attr {
+			if (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || c == '-' {
+				safe.WriteRune(c)
+			}
+		}
+		safeAttrs[i] = safe.String()
+	}
+
+	return "ZZ" + strings.Join(safeAttrs, "_") + "ZZ"
 }

 // 解码user data
--- a/EdgeDNS/internal/nodes/dns_node.go
+++ b/EdgeDNS/internal/nodes/dns_node.go
@@ -31,6 +31,7 @@ import (
 	"os"
 	"os/exec"
 	"os/signal"
+	"regexp"
 	"runtime"
 	"runtime/debug"
 	"syscall"
@@ -328,6 +329,13 @@ func (this *DNSNode) start() {
 		apiConfig.NumberId = config.Id
 	}

+	// 验证 NodeId 防止路径遍历
+	var nodeIdRegexp = regexp.MustCompile(`^[a-zA-Z0-9_\-]+$`)
+	if !nodeIdRegexp.MatchString(config.NodeId) {
+		remotelogs.Error("NODE", "invalid NodeId: contains illegal characters")
+		return
+	}
+
 	var db = dbs.NewDB(Tea.Root + "/data/data-" + types.String(config.Id) + "-" + config.NodeId + "-v0.1.0.db")
 	err = db.Init()
 	if err != nil {
--- a/EdgeDNS/internal/nodes/server.go
+++ b/EdgeDNS/internal/nodes/server.go
@@ -247,6 +247,15 @@ func (this *Server) parseAction(questionName string, remoteAddr *string) (string
 						return "", errors.New("decode question option failed: " + err.Error())
 					} else {
 						var ip = m.GetString("ip")
+						// 验证 IP 地址合法性，防止 IP 欺骗
+						parsedIP := net.ParseIP(ip)
+						if parsedIP == nil {
+							return "", errors.New("invalid IP address in setRemoteAddr: " + ip)
+						}
+						// 拒绝回环地址和未指定地址
+						if parsedIP.IsLoopback() || parsedIP.IsUnspecified() {
+							return "", errors.New("disallowed IP address in setRemoteAddr: " + ip)
+						}
 						*remoteAddr = ip
 					}
 				}