airkjw/CLIProxyAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): harden management panel asset updater

Browse Source 
- Abort update when SHA256 digest mismatch is detected instead of
  logging a warning and proceeding (prevents MITM asset replacement)
- Cap asset download size to 10 MB via io.LimitReader (defense-in-depth
  against OOM from oversized responses)
- Add `auto-update-panel` config option (default: false) to make the
  periodic background updater opt-in; the panel is still downloaded
  on first access when missing, but no longer silently auto-updated
  every 3 hours unless explicitly enabled
This commit is contained in:
Xvvln
2026-03-24 00:10:04 +08:00
parent f81acd0760
commit 2db8df8e38
3 changed files with 15 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
config.example.yaml
View File

@@ -25,6 +25,10 @@ remote-management:
# Disable the bundled management control panel asset download and HTTP route when true.
disable-control-panel: false
# Enable automatic periodic background updates of the management panel from GitHub (default: false).
# When disabled, the panel is only downloaded on first access if missing, and never auto-updated afterward.
# auto-update-panel: false
# GitHub repository for the management control panel. Accepts a repository URL or releases API URL.
panel-github-repository: "https://github.com/router-for-me/Cli-Proxy-API-Management-Center"