airkjw/CLIProxyAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): harden management panel asset updater

Browse Source 
- Abort update when SHA256 digest mismatch is detected instead of
  logging a warning and proceeding (prevents MITM asset replacement)
- Cap asset download size to 10 MB via io.LimitReader (defense-in-depth
  against OOM from oversized responses)
- Add `auto-update-panel` config option (default: false) to make the
  periodic background updater opt-in; the panel is still downloaded
  on first access when missing, but no longer silently auto-updated
  every 3 hours unless explicitly enabled
This commit is contained in:
Xvvln
2026-03-24 00:10:04 +08:00
parent f81acd0760
commit 2db8df8e38
3 changed files with 15 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
internal/config/config.go
View File

@@ -171,6 +171,9 @@ type RemoteManagement struct {
SecretKey string `yaml:"secret-key"`
// DisableControlPanel skips serving and syncing the bundled management UI when true.
DisableControlPanel bool `yaml:"disable-control-panel"`
// AutoUpdatePanel enables automatic periodic background updates of the management panel asset from GitHub.
// When false (the default), the panel is only downloaded on first access if missing, and never auto-updated.
AutoUpdatePanel bool `yaml:"auto-update-panel"`
// PanelGitHubRepository overrides the GitHub repository used to fetch the management panel asset.
// Accepts either a repository URL (https://github.com/org/repo) or an API releases endpoint.
PanelGitHubRepository string `yaml:"panel-github-repository"`