fix: add protected fields to settings to mitigate high-severity vulnerability

Credits to @jorgectf for the advisories.
2025-05-10 18:05:48 +02:00 · 2023-12-20 03:44:14 +09:00 · 2023-12-20 03:44:14 +09:00 · 827e76c46e
commit 827e76c46e
parent 0a9e23daf4
3 changed files with 57 additions and 42 deletions
--- a/api/system/settings.go
+++ b/api/system/settings.go
@ -1,42 +1,57 @@
 package system

 import (
-    "github.com/0xJacky/Nginx-UI/api"
-    "github.com/0xJacky/Nginx-UI/settings"
-    "github.com/gin-gonic/gin"
-    "net/http"
+	"github.com/0xJacky/Nginx-UI/api"
+	"github.com/0xJacky/Nginx-UI/settings"
+	"github.com/gin-gonic/gin"
+	"net/http"
+	"reflect"
 )

 func GetSettings(c *gin.Context) {
-    c.JSON(http.StatusOK, gin.H{
-        "server": settings.ServerSettings,
-        "nginx":  settings.NginxSettings,
-        "openai": settings.OpenAISettings,
-    })
+	c.JSON(http.StatusOK, gin.H{
+		"server": settings.ServerSettings,
+		"nginx":  settings.NginxSettings,
+		"openai": settings.OpenAISettings,
+	})
 }

 func SaveSettings(c *gin.Context) {
-    var json struct {
-        Server settings.Server `json:"server"`
-        Nginx  settings.Nginx  `json:"nginx"`
-        Openai settings.OpenAI `json:"openai"`
-    }
+	var json struct {
+		Server settings.Server `json:"server"`
+		Nginx  settings.Nginx  `json:"nginx"`
+		Openai settings.OpenAI `json:"openai"`
+	}

-    if !api.BindAndValid(c, &json) {
-        return
-    }
+	if !api.BindAndValid(c, &json) {
+		return
+	}

-    settings.ServerSettings = json.Server
-    settings.NginxSettings = json.Nginx
-    settings.OpenAISettings = json.Openai
+	// todo: omit protected fields when binding
+	fillSettings(&settings.ServerSettings, &json.Server)
+	fillSettings(&settings.NginxSettings, &json.Nginx)
+	fillSettings(&settings.OpenAISettings, &json.Openai)

-    settings.ReflectFrom()
+	settings.ReflectFrom()

-    err := settings.Save()
-    if err != nil {
-        api.ErrHandler(c, err)
-        return
-    }
+	err := settings.Save()
+	if err != nil {
+		api.ErrHandler(c, err)
+		return
+	}

-    GetSettings(c)
+	GetSettings(c)
+}
+
+func fillSettings(targetSettings interface{}, newSettings interface{}) {
+	s := reflect.TypeOf(targetSettings).Elem()
+	vt := reflect.ValueOf(targetSettings).Elem()
+	vn := reflect.ValueOf(newSettings).Elem()
+
+	// copy the values from new to target settings if it is not protected
+	for i := 0; i < s.NumField(); i++ {
+		if s.Field(i).Tag.Get("protected") != "true" {
+			vt.Field(i).Set(vn.Field(i))
+		}
+	}
 }
--- a/settings/nginx.go
+++ b/settings/nginx.go
@ -3,11 +3,11 @@ package settings
 type Nginx struct {
 	AccessLogPath string `json:"access_log_path"`
 	ErrorLogPath  string `json:"error_log_path"`
-	ConfigDir     string `json:"config_dir"`
-	PIDPath       string `json:"pid_path"`
-	TestConfigCmd string `json:"test_config_cmd"`
-	ReloadCmd     string `json:"reload_cmd"`
-	RestartCmd    string `json:"restart_cmd"`
+	ConfigDir     string `json:"config_dir" protected:"true"`
+	PIDPath       string `json:"pid_path" protected:"true"`
+	TestConfigCmd string `json:"test_config_cmd" protected:"true"`
+	ReloadCmd     string `json:"reload_cmd" protected:"true"`
+	RestartCmd    string `json:"restart_cmd" protected:"true"`
 }

 var NginxSettings = Nginx{
--- a/settings/server.go
+++ b/settings/server.go
@ -1,18 +1,18 @@
 package settings

 type Server struct {
-	HttpHost          string `json:"http_host"`
-	HttpPort          string `json:"http_port"`
-	RunMode           string `json:"run_mode"`
-	JwtSecret         string `json:"jwt_secret"`
-	NodeSecret        string `json:"node_secret"`
+	HttpHost          string `json:"http_host" protected:"true"`
+	HttpPort          string `json:"http_port" protected:"true"`
+	RunMode           string `json:"run_mode" protected:"true"`
+	JwtSecret         string `json:"jwt_secret" protected:"true"`
+	NodeSecret        string `json:"node_secret" protected:"true"`
 	HTTPChallengePort string `json:"http_challenge_port"`
-	Email             string `json:"email"`
-	Database          string `json:"database"`
-	StartCmd          string `json:"start_cmd"`
+	Email             string `json:"email" protected:"true"`
+	Database          string `json:"database" protected:"true"`
+	StartCmd          string `json:"start_cmd" protected:"true"`
 	CADir             string `json:"ca_dir"`
-	Demo              bool   `json:"demo"`
-	PageSize          int    `json:"page_size"`
+	Demo              bool   `json:"demo" protected:"true"`
+	PageSize          int    `json:"page_size" protected:"true"`
 	GithubProxy       string `json:"github_proxy"`
 }