fix: add protected fields to settings to mitigate high-severity vulnerability

Credits to @jorgectf for the advisories.
2025-05-11 18:35:51 +02:00 · 2023-12-20 03:44:14 +09:00 · 2023-12-20 03:44:14 +09:00 · 827e76c46e
commit 827e76c46e
parent 0a9e23daf4
3 changed files with 57 additions and 42 deletions
--- a/api/system/settings.go
+++ b/api/system/settings.go
@ -1,42 +1,57 @@
 package system

 import (
-    "github.com/0xJacky/Nginx-UI/api"
-    "github.com/0xJacky/Nginx-UI/settings"
-    "github.com/gin-gonic/gin"
-    "net/http"
+	"github.com/0xJacky/Nginx-UI/api"
+	"github.com/0xJacky/Nginx-UI/settings"
+	"github.com/gin-gonic/gin"
+	"net/http"
+	"reflect"
 )

 func GetSettings(c *gin.Context) {
-    c.JSON(http.StatusOK, gin.H{
-        "server": settings.ServerSettings,
-        "nginx":  settings.NginxSettings,
-        "openai": settings.OpenAISettings,
-    })
+	c.JSON(http.StatusOK, gin.H{
+		"server": settings.ServerSettings,
+		"nginx":  settings.NginxSettings,
+		"openai": settings.OpenAISettings,
+	})
 }

 func SaveSettings(c *gin.Context) {
-    var json struct {
-        Server settings.Server `json:"server"`
-        Nginx  settings.Nginx  `json:"nginx"`
-        Openai settings.OpenAI `json:"openai"`
-    }
+	var json struct {
+		Server settings.Server `json:"server"`
+		Nginx  settings.Nginx  `json:"nginx"`
+		Openai settings.OpenAI `json:"openai"`
+	}

-    if !api.BindAndValid(c, &json) {
-        return
-    }
+	if !api.BindAndValid(c, &json) {
+		return
+	}

-    settings.ServerSettings = json.Server
-    settings.NginxSettings = json.Nginx
-    settings.OpenAISettings = json.Openai
+	// todo: omit protected fields when binding
+	fillSettings(&settings.ServerSettings, &json.Server)
+	fillSettings(&settings.NginxSettings, &json.Nginx)
+	fillSettings(&settings.OpenAISettings, &json.Openai)

-    settings.ReflectFrom()
+	settings.ReflectFrom()

-    err := settings.Save()
-    if err != nil {
-        api.ErrHandler(c, err)
-        return
-    }
+	err := settings.Save()
+	if err != nil {
+		api.ErrHandler(c, err)
+		return
+	}

-    GetSettings(c)
+	GetSettings(c)
+}
+
+func fillSettings(targetSettings interface{}, newSettings interface{}) {
+	s := reflect.TypeOf(targetSettings).Elem()
+	vt := reflect.ValueOf(targetSettings).Elem()
+	vn := reflect.ValueOf(newSettings).Elem()
+
+	// copy the values from new to target settings if it is not protected
+	for i := 0; i < s.NumField(); i++ {
+		if s.Field(i).Tag.Get("protected") != "true" {
+			vt.Field(i).Set(vn.Field(i))
+		}
+	}
 }