mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-07-16 01:26:07 +00:00
fbad71d620
Second-pass review of the 54-commit self-correcting audit. Each item below was confirmed by reading the surrounding source (and, where practical, the pre-fix code) before being changed; regression tests are included for every behavioral fix. Concurrency: - eventbus: Bus.Subscribe called wg.Add with no synchronization against a concurrent Bus.Stop's wg.Wait, a real "WaitGroup misuse" panic risk (e.g. a Telegram-bot settings save racing panel shutdown/restart). Stop now flips a mu-guarded `stopped` flag before waiting, and Subscribe checks it under the same lock, so Add and Wait can no longer race. Security: - login_limiter: evictForRoom's fallback eviction picked an arbitrary map key, including ones still under an active cooldown - an attacker flooding /login with fresh usernames could evict their own (or anyone's) blocked record and reset the lockout. The fallback now skips actively-blocked records, only falling back to an unconditional evict if the map is somehow entirely full of active blocks (preserves the hard memory cap). Subscription-endpoint panics (reachable by any client hitting /sub): - internal/sub/service.go: applyPathAndHostParams/Obj (ws/httpupgrade/xhttp with no path settings object) and the TLS alpn readers in three places used unchecked type assertions - exactly the bug classabab7cd0patched elsewhere in the same switch statements, just not these call sites. - internal/sub/json_service.go, clash_service.go: the externalProxy loops in the JSON and Clash generators used unchecked assertions on a legacy/admin-supplied field (missing "port", non-object entry, etc.). - internal/sub/json_service.go: realityData's shortId/serverName selection could assert a non-string array element. Other correctness: - client_traffic.go: ResetAllTraffics (touched by3eb214d0) still skipped clearing NodeClientTraffic node-sync baselines, unlike its sibling reset paths in the same file - a node's next sync would re-add pre-reset delta on top of the freshly-zeroed counter. - inbound_traffic.go: the traffic-tick tx's Commit/Rollback errors were silently discarded; now logged so a backend-level commit failure (e.g. an aborted Postgres tx from a best-effort helper) doesn't masquerade as a successful tick. - outbound_subscription.go: the new subscriptionFetchClient doc comment was wedged between fetchAndStore's existing comment and fetchAndStore itself, leaving fetchAndStore undocumented and the comment describing the wrong function. Convention cleanup: - Removed narrative // comments added by the audit that violate this repo's no-inline-comment rule (mostly narrating the specific bug/fix rather than a lasting contract, and mostly on new Test functions, which this repo's existing tests never comment) - calibrated against this exact codebase's own pre-existing comment style so legitimate godoc-style doc comments were left alone.
121 lines
3.8 KiB
Go
121 lines
3.8 KiB
Go
package controller
|
|
|
|
import (
|
|
"strconv"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func TestLoginLimiterBoundsMemoryUnderUsernameFlood(t *testing.T) {
|
|
limiter := newLoginLimiter(5, 5*time.Minute, 15*time.Minute)
|
|
for i := 0; i < loginLimitMaxRecords+100; i++ {
|
|
limiter.registerFailure("1.2.3.4", "user-"+strconv.Itoa(i))
|
|
}
|
|
|
|
limiter.mu.Lock()
|
|
n := len(limiter.attempts)
|
|
limiter.mu.Unlock()
|
|
|
|
if n > loginLimitMaxRecords {
|
|
t.Fatalf("attempts map grew to %d, exceeding the %d ceiling under a username flood", n, loginLimitMaxRecords)
|
|
}
|
|
}
|
|
|
|
func TestLoginLimiterEvictionSparesActiveBlocks(t *testing.T) {
|
|
now := time.Date(2026, 5, 6, 12, 0, 0, 0, time.UTC)
|
|
limiter := newLoginLimiter(5, 5*time.Minute, 15*time.Minute)
|
|
limiter.now = func() time.Time { return now }
|
|
|
|
limiter.mu.Lock()
|
|
for i := 0; i < loginLimitMaxRecords-1; i++ {
|
|
limiter.attempts["victim-"+strconv.Itoa(i)] = &loginLimitRecord{blockedUntil: now.Add(10 * time.Minute)}
|
|
}
|
|
limiter.attempts["filler"] = &loginLimitRecord{failures: []time.Time{now}}
|
|
limiter.mu.Unlock()
|
|
|
|
if _, blocked := limiter.registerFailure("9.9.9.9", "newcomer"); blocked {
|
|
t.Fatal("the eviction-triggering failure itself should not be blocked yet")
|
|
}
|
|
|
|
limiter.mu.Lock()
|
|
defer limiter.mu.Unlock()
|
|
survivors := 0
|
|
for key, record := range limiter.attempts {
|
|
if strings.HasPrefix(key, "victim-") && now.Before(record.blockedUntil) {
|
|
survivors++
|
|
}
|
|
}
|
|
if survivors != loginLimitMaxRecords-1 {
|
|
t.Fatalf("eviction under a full map dropped an actively-blocked record: %d/%d victims survived", survivors, loginLimitMaxRecords-1)
|
|
}
|
|
}
|
|
|
|
func TestLoginLimiterBlocksAfterConfiguredFailures(t *testing.T) {
|
|
now := time.Date(2026, 5, 6, 12, 0, 0, 0, time.UTC)
|
|
limiter := newLoginLimiter(5, 5*time.Minute, 15*time.Minute)
|
|
limiter.now = func() time.Time { return now }
|
|
|
|
for i := range 4 {
|
|
if _, blocked := limiter.registerFailure("192.0.2.10", "Admin"); blocked {
|
|
t.Fatalf("failure %d should not block yet", i+1)
|
|
}
|
|
if _, ok := limiter.allow("192.0.2.10", "admin"); !ok {
|
|
t.Fatalf("failure %d should still allow login attempts", i+1)
|
|
}
|
|
}
|
|
|
|
blockedUntil, blocked := limiter.registerFailure("192.0.2.10", "ADMIN")
|
|
if !blocked {
|
|
t.Fatal("fifth failure should start cooldown")
|
|
}
|
|
if want := now.Add(15 * time.Minute); !blockedUntil.Equal(want) {
|
|
t.Fatalf("blocked until %s, want %s", blockedUntil, want)
|
|
}
|
|
if _, ok := limiter.allow("192.0.2.10", "admin"); ok {
|
|
t.Fatal("login should be blocked during cooldown")
|
|
}
|
|
|
|
now = blockedUntil
|
|
if _, ok := limiter.allow("192.0.2.10", "admin"); !ok {
|
|
t.Fatal("login should be allowed after cooldown")
|
|
}
|
|
}
|
|
|
|
func TestLoginLimiterPrunesOldFailuresAndResetsOnSuccess(t *testing.T) {
|
|
now := time.Date(2026, 5, 6, 12, 0, 0, 0, time.UTC)
|
|
limiter := newLoginLimiter(5, 5*time.Minute, 15*time.Minute)
|
|
limiter.now = func() time.Time { return now }
|
|
|
|
for range 4 {
|
|
limiter.registerFailure("192.0.2.10", "admin")
|
|
}
|
|
now = now.Add(6 * time.Minute)
|
|
if _, blocked := limiter.registerFailure("192.0.2.10", "admin"); blocked {
|
|
t.Fatal("old failures should be pruned outside the rolling window")
|
|
}
|
|
|
|
limiter.registerSuccess("192.0.2.10", "admin")
|
|
for i := range 4 {
|
|
if _, blocked := limiter.registerFailure("192.0.2.10", "admin"); blocked {
|
|
t.Fatalf("success should reset previous failures; failure %d blocked", i+1)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestLoginLimiterSeparatesIPAndUsername(t *testing.T) {
|
|
now := time.Date(2026, 5, 6, 12, 0, 0, 0, time.UTC)
|
|
limiter := newLoginLimiter(5, 5*time.Minute, 15*time.Minute)
|
|
limiter.now = func() time.Time { return now }
|
|
|
|
for range 5 {
|
|
limiter.registerFailure("192.0.2.10", "admin")
|
|
}
|
|
if _, ok := limiter.allow("192.0.2.11", "admin"); !ok {
|
|
t.Fatal("different IP should not be blocked")
|
|
}
|
|
if _, ok := limiter.allow("192.0.2.10", "other-admin"); !ok {
|
|
t.Fatal("different username should not be blocked")
|
|
}
|
|
}
|