fix: add protected fields to settings to mitigate high-severity vulnerability

Credits to @jorgectf for the advisories.

api/system/settings.go

@@ -5,6 +5,7 @@ import (
 	"github.com/0xJacky/Nginx-UI/settings"
 	"github.com/gin-gonic/gin"
 	"net/http"
+	"reflect"
 )
 
 func GetSettings(c *gin.Context) {
@@ -26,9 +27,10 @@ func SaveSettings(c *gin.Context) {
 		return
 	}
 
-    settings.ServerSettings = json.Server
+	// todo: omit protected fields when binding
-    settings.NginxSettings = json.Nginx
+	fillSettings(&settings.ServerSettings, &json.Server)
-    settings.OpenAISettings = json.Openai
+	fillSettings(&settings.NginxSettings, &json.Nginx)
+	fillSettings(&settings.OpenAISettings, &json.Openai)
 
 	settings.ReflectFrom()
 
@@ -40,3 +42,16 @@ func SaveSettings(c *gin.Context) {
 
 	GetSettings(c)
 }
+
+func fillSettings(targetSettings interface{}, newSettings interface{}) {
+	s := reflect.TypeOf(targetSettings).Elem()
+	vt := reflect.ValueOf(targetSettings).Elem()
+	vn := reflect.ValueOf(newSettings).Elem()
+
+	// copy the values from new to target settings if it is not protected
+	for i := 0; i < s.NumField(); i++ {
+		if s.Field(i).Tag.Get("protected") != "true" {
+			vt.Field(i).Set(vn.Field(i))
+		}
+	}
+}

settings/nginx.go

@@ -3,11 +3,11 @@ package settings
 type Nginx struct {
 	AccessLogPath string `json:"access_log_path"`
 	ErrorLogPath  string `json:"error_log_path"`
-	ConfigDir     string `json:"config_dir"`
+	ConfigDir     string `json:"config_dir" protected:"true"`
-	PIDPath       string `json:"pid_path"`
+	PIDPath       string `json:"pid_path" protected:"true"`
-	TestConfigCmd string `json:"test_config_cmd"`
+	TestConfigCmd string `json:"test_config_cmd" protected:"true"`
-	ReloadCmd     string `json:"reload_cmd"`
+	ReloadCmd     string `json:"reload_cmd" protected:"true"`
-	RestartCmd    string `json:"restart_cmd"`
+	RestartCmd    string `json:"restart_cmd" protected:"true"`
 }
 
 var NginxSettings = Nginx{

settings/server.go

@@ -1,18 +1,18 @@
 package settings
 
 type Server struct {
-	HttpHost          string `json:"http_host"`
+	HttpHost          string `json:"http_host" protected:"true"`
-	HttpPort          string `json:"http_port"`
+	HttpPort          string `json:"http_port" protected:"true"`
-	RunMode           string `json:"run_mode"`
+	RunMode           string `json:"run_mode" protected:"true"`
-	JwtSecret         string `json:"jwt_secret"`
+	JwtSecret         string `json:"jwt_secret" protected:"true"`
-	NodeSecret        string `json:"node_secret"`
+	NodeSecret        string `json:"node_secret" protected:"true"`
 	HTTPChallengePort string `json:"http_challenge_port"`
-	Email             string `json:"email"`
+	Email             string `json:"email" protected:"true"`
-	Database          string `json:"database"`
+	Database          string `json:"database" protected:"true"`
-	StartCmd          string `json:"start_cmd"`
+	StartCmd          string `json:"start_cmd" protected:"true"`
 	CADir             string `json:"ca_dir"`
-	Demo              bool   `json:"demo"`
+	Demo              bool   `json:"demo" protected:"true"`
-	PageSize          int    `json:"page_size"`
+	PageSize          int    `json:"page_size" protected:"true"`
 	GithubProxy       string `json:"github_proxy"`
 }