Files
Nexus/docs/changelog/2026-05-23-medium-fixes.md
T
Your Name fbf5eadcf2 fix(security): R2+R3 全面代码审计修复 — 3 CRITICAL / 9 HIGH / 15 MEDIUM / 10 LOW
CRITICAL:
- C-1: sync_service.py rsync命令shlex.quote防Shell注入回归
- C-2: agent.py exec端点危险命令正则拦截+compare_digest+僵尸进程修复
- C-3: WebSSH JWT token绑定server_id防IDOR

HIGH:
- H-1: 所有PUT/POST端点setattr改为字段白名单防任意字段注入
- H-2: settings/assets/scripts端点添加JWT认证
- H-3: refresh_token invalidate-then-generate防并发重放
- H-4: servers.py Redis pipeline解决N+1查询
- H-7: settings API Key/Secret掩码+禁止修改
- H-8: TOTP暴力破解速率限制(5次/5分钟)
- H-9: get_optional_admin改用request-scoped session

MEDIUM:
- M-2: X-Real-IP优先+X-Forwarded-For取末值防IP伪造
- M-4: asyncssh异常信息脱敏(只含server_id)
- M-5: 分页limit上限(500/200/500/500)
- M-9: API层Redis依赖抽象至dependencies.py
- M-10: WebSocket ConnectionManager多worker Redis聚合
- M-13: login_attempts复合索引
- M-14: ServerRepository.get_by_ids批量查询
- M-15: API错误消息统一中文

R3追加:
- sysctl命令注入防护+regex验证
- $DB_PASS明文存储→masked_command双命令方案
- MYSQL_PWD环境变量替代-p flag
- health端点拆分(公开/需认证)
- repo层**kwargs→字段白名单
- 全局str(e)信息泄露修复(API/Telegram/WebSocket)
- SSRF私有IP拦截
- Nginx HTTPS配置+DB备份脚本
- 前端CDN SRI哈希+XSS修复
- __import__替换为正常import

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 10:58:33 +08:00

2.1 KiB

2026-05-23 — MEDIUM Issue Fixes (Post-Audit Round 2)

Summary

Fixed all 14+ MEDIUM issues identified in the full codebase audit.

Changes

Backend Core

  • WebSocket connection limits: Added MAX_CONNECTIONS=500 to ConnectionManager; rejects new connections when limit reached (memory DoS prevention)
  • WebSSH message size limits: Added MAX_MSG_SIZE=100KB and MAX_DATA_SIZE=10KB validation before processing WebSocket messages
  • setting_repo SELECT-then-INSERT race: Replaced TOCTOU pattern with MySQL ON DUPLICATE KEY UPDATE for atomic upsert
  • Migration atomicity: Removed intermediate session.commit() calls — single commit at end for all-or-nothing migration
  • SyncLog/ScriptExecution return types: Fixed update_status() return types from non-Optional to Optional[SyncLog] / Optional[ScriptExecution]

Security Hardening

  • Nginx rate limiting: Added limit_req_zone (10 req/s per IP, burst 20) for API endpoints
  • X-Forwarded-For IP extraction: Added _client_ip() helper to auth.py that checks X-Forwarded-For header first, falls back to request.client.host
  • CDN SRI integrity hashes: Added integrity + crossorigin attributes to all CDN script/style tags across all 12 HTML pages (tailwindcss, alpinejs, xterm, xterm-addon-fit)
  • Global 401 interceptor: Added window.fetch override on all pages — auto-redirects to login on 401 responses

Deployment

  • Supervisor stopasgroup: Added stopasgroup=true to ensure SIGINT reaches entire process tree
  • health_monitor.sh hardening: Added set -euo pipefail; wrapped FAIL_FILE read-modify-write in flock for atomicity
  • health_monitor.sh fail count: All 3 fail-count access points now use flock-protected critical sections

Code Quality

  • decrypt_value documentation: Clarified backward-compat contract; added try_decrypt_value() for callers needing explicit success/failure signal
  • Dual DB session deprecation: Marked get_async_session() as deprecated with docstring pointing to middleware-based request.state.db pattern

Files Changed

39 files, 498 insertions, 210 deletions