| H-WS-auth |
webssh.py:96-109 |
SAFE |
webssh JWT + server_id 必须匹配路径 |
| H-WS-IDOR |
webssh.py:106-108 |
SAFE |
非绑定 token → 4003 |
| H-WS-cred |
webssh.py:127-135 |
SAFE |
SSH 凭据未配置则拒绝 |
| H-WS-audit |
webssh.py:137-157 |
SAFE |
connect/disconnect 审计 |
| H-WS-cmdlog |
webssh.py:276-290 |
SAFE |
命令日志 + dangerous check |
| H-WS-ADR011 |
webssh.py:92 |
RISK |
query token;已接受 |
| H-Server-mask |
servers.py:1692-1698 |
SAFE |
password_set / 密钥不返回明文 |
| H-Server-encrypt |
servers.py:1096-1099 |
SAFE |
Fernet 加密存储 |
| H-Server-allowlist |
servers.py:1163-1187 |
SAFE |
UPDATE 字段白名单 |
| H-Server-agent-key |
servers.py:1251-1288 |
SAFE |
re-auth 后生成/返回一次 |
| H-Server-shell |
servers.py:631-633 |
SAFE |
install cmd shlex.quote |
| H-Server-sudo |
servers.py:36-60 |
RISK |
临时 sudoers;运维必要 |
| H-Settings-immutable |
settings.py:331-334 |
SAFE |
api_key 等不可 PUT |
| H-Settings-mask |
settings.py:114-128 |
SAFE |
GET 敏感项 value 空 + value_set |
| H-Settings-reauth |
settings.py:93-98 |
SAFE |
reveal 需 bcrypt |
| H-Settings-SSRF |
settings.py:68-88 |
SAFE |
订阅 URL 私有 IP 拦截 |
| H-Settings-PUT-leak |
settings.py:383 |
RISK |
PUT 响应可能含 telegram 明文;JWT 已认证 |
| H-Script-danger |
scripts.py:352-359 |
SAFE |
check_dangerous_command 拒绝 |
| H-Script-cred |
scripts.py:407-418 |
SAFE |
凭据 API 无 password 字段 |
| H-Script-allowlist |
scripts.py:111-114,303-306 |
SAFE |
credential/script UPDATE 白名单 |
| H-Svc-redact |
script_service.py:108-111 |
SAFE |
执行记录 command 脱敏 DB_PASS |
| H-Svc-ssh |
script_service.py:680-698 |
SAFE |
SSH exec 经 pool |
| H-Svc-kill |
script_service.py:306-322 |
SAFE |
kill 命令 pid/log 路径校验 |
| H-Svc-server-map |
script_service.py:519-523 |
SAFE |
预加载 server_map 避免并行竞态 |