- 修复RDP协议连接导致的任意文件读取漏洞

- RDP协议增加「域」参数
- 增加安全访问功能
- 优化代码

pkg/api/session.go

@@ -10,6 +10,7 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/global"
 	"next-terminal/pkg/model"
 	"next-terminal/pkg/utils"
@@ -36,10 +37,10 @@ func SessionPagingEndpoint(c echo.Context) error {
 	}
 
 	for i := 0; i < len(items); i++ {
-		if status == model.Disconnected && len(items[i].Recording) > 0 {
+		if status == constant.Disconnected && len(items[i].Recording) > 0 {
 
 			var recording string
-			if items[i].Mode == model.Naive {
+			if items[i].Mode == constant.Naive {
 				recording = items[i].Recording
 			} else {
 				recording = items[i].Recording + "/recording"
@@ -77,7 +78,7 @@ func SessionConnectEndpoint(c echo.Context) error {
 
 	session := model.Session{}
 	session.ID = sessionId
-	session.Status = model.Connected
+	session.Status = constant.Connected
 	session.ConnectedTime = utils.NowJsonTime()
 
 	if err := model.UpdateSessionById(&session, sessionId); err != nil {
@@ -118,11 +119,11 @@ func CloseSessionById(sessionId string, code int, reason string) {
 		return
 	}
 
-	if s.Status == model.Disconnected {
+	if s.Status == constant.Disconnected {
 		return
 	}
 
-	if s.Status == model.Connecting {
+	if s.Status == constant.Connecting {
 		// 会话还未建立成功，无需保留数据
 		_ = model.DeleteSessionById(sessionId)
 		return
@@ -130,7 +131,7 @@ func CloseSessionById(sessionId string, code int, reason string) {
 
 	session := model.Session{}
 	session.ID = sessionId
-	session.Status = model.Disconnected
+	session.Status = constant.Disconnected
 	session.DisconnectedTime = utils.NowJsonTime()
 	session.Code = code
 	session.Message = reason
@@ -161,15 +162,15 @@ func SessionCreateEndpoint(c echo.Context) error {
 	assetId := c.QueryParam("assetId")
 	mode := c.QueryParam("mode")
 
-	if mode == model.Naive {
-		mode = model.Naive
+	if mode == constant.Naive {
+		mode = constant.Naive
 	} else {
-		mode = model.Guacd
+		mode = constant.Guacd
 	}
 
 	user, _ := GetCurrentAccount(c)
 
-	if model.TypeUser == user.Type {
+	if constant.TypeUser == user.Type {
 		// 检测是否有访问权限
 		assetIds, err := model.FindAssetIdsByUserId(user.ID)
 		if err != nil {
@@ -196,7 +197,7 @@ func SessionCreateEndpoint(c echo.Context) error {
 		Protocol:   asset.Protocol,
 		IP:         asset.IP,
 		Port:       asset.Port,
-		Status:     model.NoConnect,
+		Status:     constant.NoConnect,
 		Creator:    user.ID,
 		ClientIP:   c.RealIP(),
 		Mode:       mode,
@@ -208,7 +209,7 @@ func SessionCreateEndpoint(c echo.Context) error {
 			return err
 		}
 
-		if credential.Type == model.Custom {
+		if credential.Type == constant.Custom {
 			session.Username = credential.Username
 			session.Password = credential.Password
 		} else {
@@ -273,7 +274,7 @@ func SessionUploadEndpoint(c echo.Context) error {
 	} else if "rdp" == session.Protocol {
 
 		if strings.Contains(remoteFile, "../") {
-			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			SafetyRuleTrigger(c)
 			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
 		}
 
@@ -331,7 +332,7 @@ func SessionDownloadEndpoint(c echo.Context) error {
 		return c.Stream(http.StatusOK, echo.MIMEOctetStream, bytes.NewReader(buff.Bytes()))
 	} else if "rdp" == session.Protocol {
 		if strings.Contains(remoteFile, "../") {
-			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			SafetyRuleTrigger(c)
 			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
 		}
 		drivePath, err := model.GetDrivePath()
@@ -413,7 +414,7 @@ func SessionLsEndpoint(c echo.Context) error {
 		return Success(c, files)
 	} else if "rdp" == session.Protocol {
 		if strings.Contains(remoteDir, "../") {
-			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			SafetyRuleTrigger(c)
 			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
 		}
 		drivePath, err := model.GetDrivePath()
@@ -446,6 +447,18 @@ func SessionLsEndpoint(c echo.Context) error {
 	return errors.New("当前协议不支持此操作")
 }
 
+func SafetyRuleTrigger(c echo.Context) {
+	logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+	security := model.AccessSecurity{
+		ID:     utils.UUID(),
+		Source: "安全规则触发",
+		IP:     c.RealIP(),
+		Rule:   constant.AccessRuleReject,
+	}
+
+	_ = model.CreateNewSecurity(&security)
+}
+
 func SessionMkDirEndpoint(c echo.Context) error {
 	sessionId := c.Param("id")
 	session, err := model.FindSessionById(sessionId)
@@ -464,7 +477,7 @@ func SessionMkDirEndpoint(c echo.Context) error {
 		return Success(c, nil)
 	} else if "rdp" == session.Protocol {
 		if strings.Contains(remoteDir, "../") {
-			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			SafetyRuleTrigger(c)
 			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
 		}
 		drivePath, err := model.GetDrivePath()
@@ -525,7 +538,7 @@ func SessionRmEndpoint(c echo.Context) error {
 		return Success(c, nil)
 	} else if "rdp" == session.Protocol {
 		if strings.Contains(key, "../") {
-			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			SafetyRuleTrigger(c)
 			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
 		}
 		drivePath, err := model.GetDrivePath()
@@ -566,7 +579,7 @@ func SessionRenameEndpoint(c echo.Context) error {
 		return Success(c, nil)
 	} else if "rdp" == session.Protocol {
 		if strings.Contains(oldName, "../") {
-			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			SafetyRuleTrigger(c)
 			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
 		}
 		drivePath, err := model.GetDrivePath()
@@ -591,7 +604,7 @@ func SessionRecordingEndpoint(c echo.Context) error {
 	}
 
 	var recording string
-	if session.Mode == model.Naive {
+	if session.Mode == constant.Naive {
 		recording = session.Recording
 	} else {
 		recording = session.Recording + "/recording"