- 修复RDP协议连接导致的任意文件读取漏洞

- RDP协议增加「域」参数 - 增加安全访问功能 - 优化代码
2021-03-11 21:16:29 +08:00
parent ba5bff1b38
commit 7f7edaa33c
45 changed files with 1020 additions and 158 deletions
--- a/pkg/api/middleware.go
+++ b/pkg/api/middleware.go
@ -3,8 +3,10 @@ package api
 import (
 	"fmt"
 	"github.com/labstack/echo/v4"
+	"net"
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/global"
-	"next-terminal/pkg/model"
+	"next-terminal/pkg/utils"
 	"regexp"
 	"strings"
 	"time"
@ -26,6 +28,62 @@ func ErrorHandler(next echo.HandlerFunc) echo.HandlerFunc {
 	}
 }

+func TcpWall(next echo.HandlerFunc) echo.HandlerFunc {
+
+	return func(c echo.Context) error {
+
+		if global.Securities == nil {
+			return next(c)
+		}
+
+		ip := c.RealIP()
+		for i := 0; i < len(global.Securities); i++ {
+			security := global.Securities[i]
+
+			if strings.Contains(security.IP, "/") {
+				// CIDR
+				_, ipNet, err := net.ParseCIDR(security.IP)
+				if err != nil {
+					continue
+				}
+				if !ipNet.Contains(net.ParseIP(ip)) {
+					continue
+				}
+			} else if strings.Contains(security.IP, "-") {
+				// 范围段
+				split := strings.Split(security.IP, "-")
+				if len(split) < 2 {
+					continue
+				}
+				start := split[0]
+				end := split[1]
+				intReqIP := utils.IpToInt(ip)
+				if intReqIP < utils.IpToInt(start) || intReqIP > utils.IpToInt(end) {
+					continue
+				}
+			} else {
+				// IP
+				if security.IP != ip {
+					continue
+				}
+			}
+
+			if security.Rule == constant.AccessRuleAllow {
+				return next(c)
+			}
+			if security.Rule == constant.AccessRuleReject {
+				if c.Request().Header.Get("X-Requested-With") != "" || c.Request().Header.Get(Token) != "" {
+					return Fail(c, 0, "您的访问请求被拒绝 :(")
+				} else {
+					return c.HTML(666, "您的访问请求被拒绝 :(")
+				}
+			}
+		}
+
+		return next(c)
+	}
+}
+
 func Auth(next echo.HandlerFunc) echo.HandlerFunc {

 	startWithUrls := []string{"/login", "/static", "/favicon.ico", "/logo.svg", "/asciinema"}
@ -80,7 +138,7 @@ func Admin(next echo.HandlerFunc) echo.HandlerFunc {
 			return Fail(c, 401, "您的登录信息已失效，请重新登录后再试。")
 		}

-		if account.Type != model.TypeAdmin {
+		if account.Type != constant.TypeAdmin {
 			return Fail(c, 403, "permission denied")
 		}