npm - @whyour/qinglong - Versions diffs - 2.20.1-0 → 2.20.2-0 - Mend

@whyour/qinglong 2.20.1-0 → 2.20.2-0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +1 -1
package/static/build/loaders/express.js +29 -5
package/version.yaml +5 -10

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@whyour/qinglong",
   "packageManager": "pnpm@8.3.1",
-  "version": "2.20.1-0",
+  "version": "2.20.2-0",
   "description": "Timed task management platform supporting Python3, JavaScript, Shell, Typescript",
   "repository": {
     "type": "git",

package/static/build/loaders/express.js CHANGED Viewed

@@ -17,8 +17,25 @@ const store_1 = require("../shared/store");
 const auth_1 = require("../shared/auth");
 const path_1 = __importDefault(require("path"));
 exports.default = ({ app }) => {
+    // Security: Enable strict routing to prevent case-insensitive path bypass
+    app.set('case sensitive routing', true);
+    app.set('strict routing', true);
     app.set('trust proxy', 'loopback');
     app.use((0, cors_1.default)());
+    // Security: Path normalization middleware to prevent case variation attacks
+    app.use((req, res, next) => {
+        const originalPath = req.path;
+        const normalizedPath = originalPath.toLowerCase();
+        // Block requests with case variations on protected paths
+        if (originalPath !== normalizedPath &&
+            (normalizedPath.startsWith('/api/') || normalizedPath.startsWith('/open/'))) {
+            return res.status(400).json({
+                code: 400,
+                message: 'Invalid path format'
+            });
+        }
+        next();
+    });
     // Rewrite URLs to strip baseUrl prefix if configured
     // This allows the rest of the app to work without baseUrl awareness
     if (config_1.default.baseUrl) {
@@ -34,7 +51,7 @@ exports.default = ({ app }) => {
         secret: config_1.default.jwt.secret,
         algorithms: ['HS384'],
     }).unless({
-        path: [...config_1.default.apiWhiteList, /^\/(?!api\/).*/],
+        path: [...config_1.default.apiWhiteList, /^(\/(?!api\/).*)$/i],
     }));
     app.use((req, res, next) => {
         if (!req.headers) {
@@ -48,16 +65,17 @@ exports.default = ({ app }) => {
     });
     app.use(async (req, res, next) => {
         var _a;
-        if (!['/open/', '/api/'].some((x) => req.path.startsWith(x))) {
+        const pathLower = req.path.toLowerCase();
+        if (!['/open/', '/api/'].some((x) => pathLower.startsWith(x))) {
             return next();
         }
         const headerToken = (0, util_1.getToken)(req);
-        if (req.path.startsWith('/open/')) {
+        if (pathLower.startsWith('/open/')) {
             const apps = await store_1.shareStore.getApps();
             const doc = (_a = apps === null || apps === void 0 ? void 0 : apps.filter((x) => { var _a; return (_a = x.tokens) === null || _a === void 0 ? void 0 : _a.find((y) => y.value === headerToken); })) === null || _a === void 0 ? void 0 : _a[0];
             if (doc && doc.tokens && doc.tokens.length > 0) {
                 const currentToken = doc.tokens.find((x) => x.value === headerToken);
-                const keyMatch = req.path.match(/\/open\/([a-z]+)\/*/);
+                const keyMatch = pathLower.match(/\/open\/([a-z]+)\/*/);
                 const key = keyMatch && keyMatch[1];
                 if (doc.scopes.includes(key) &&
                     currentToken &&
@@ -84,7 +102,13 @@ exports.default = ({ app }) => {
         next(err);
     });
     app.use(async (req, res, next) => {
-        if (!['/api/user/init', '/api/user/notification/init'].includes(req.path)) {
+        const pathLower = req.path.toLowerCase();
+        if (![
+            '/api/user/init',
+            '/api/user/notification/init',
+            '/open/user/init',
+            '/open/user/notification/init',
+        ].includes(req.path)) {
             return next();
         }
         const authInfo = (await store_1.shareStore.getAuthInfo()) || {};

package/version.yaml CHANGED Viewed

@@ -1,11 +1,6 @@
-version: 2.20.1
-changeLogLink: https://t.me/jiao_long/433
-publishTime: 2025-12-26 22:00
+version: 2.20.2
+changeLogLink: https://t.me/jiao_long/434
+publishTime: 2026-03-01 1800
 changeLog: |
-  1. 修复获取依赖管理列表
-  2. notify.js 修复 TG_PROXY_AUTH 参数拼接
-  3. QLAPI.notify larkSecret 参数
-  4. 修复 cron parser 定时规则校验
-  5. 修复设置 baseUrl 后无法访问
-  6. 修复环境变量排序
-  7. 修复定时任务无法停止
+  1. 修复 path 安全漏洞（重要）