GitHub/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-05-26 07:08:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bb5ea3af052f090ec64f03748dc84082003b767c
3x-ui/web
History
MHSanaei b36e5e0869 fix(security): redact at source and cap marshal sizes for CodeQL 
CodeQL kept flagging the merge logger because taint flowed Password ->
ClientMergeConflict.Old -> log even with a runtime redact helper -- the
analyzer can't prove the branch excludes credentials. Redact at the
source instead: uuid/password/auth/subId now only ever land in the
conflict struct as <redacted> placeholders, so no caller (log or
otherwise) can leak them.

For the ClientWithAttachments marshal overflow alert, replace the
MaxInt-len() arithmetic with explicit per-input size caps (256MB each),
which is the pattern CodeQL's own docs recommend and recognizes.
2026-05-19 12:48:01 +02:00
..
controller
Feat/multi inbound clients (#4469)
2026-05-19 12:20:24 +02:00
entity
Feat/multi inbound clients (#4469)
2026-05-19 12:20:24 +02:00
global
Feat/multi inbound clients (#4469)
2026-05-19 12:20:24 +02:00
job
Feat/multi inbound clients (#4469)
2026-05-19 12:20:24 +02:00
locale
v3
2026-05-10 02:13:42 +02:00
middleware
Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275)
2026-05-13 12:52:52 +02:00
network
docs: add comments for all functions
2025-09-20 09:35:50 +02:00
runtime
Feat/multi inbound clients (#4469)
2026-05-19 12:20:24 +02:00
service
fix(security): redact at source and cap marshal sizes for CodeQL
2026-05-19 12:48:01 +02:00
session
Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275)
2026-05-13 12:52:52 +02:00
translation
Feat/multi inbound clients (#4469)
2026-05-19 12:20:24 +02:00
websocket
fix(websocket): order register/unregister via single ops channel
2026-05-19 12:34:53 +02:00
web.go
Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275)
2026-05-13 12:52:52 +02:00