mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-06-03 19:09:36 +00:00
fb311afa6f
The subscription page leaked an inbound's server-side Listen IP into the client-facing URLs when a bind address was set: - Per-config links: resolveInboundAddress returned the bind Listen IP (loopback/private/public alike) instead of the host the subscriber reached the panel on. It now returns the node address for node-managed inbounds, otherwise the subscriber host; the bind Listen is ignored (External Proxy remains the way to advertise a specific endpoint). - Subscription Copy URL (SUB/JSON/CLASH): BuildURLs composed the base differently from the panel's Client Information page and never normalized the request host, so a loopback/bind request leaked the raw IP. The composition is extracted into the shared SettingService.BuildSubURIBase, used by both the panel and the sub page so they render identically, and fed the already-normalized subscriber host.
72 lines
2.1 KiB
Go
72 lines
2.1 KiB
Go
package sub
|
|
|
|
import (
|
|
"path/filepath"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/mhsanaei/3x-ui/v3/database"
|
|
)
|
|
|
|
func initSubDB(t *testing.T) {
|
|
t.Helper()
|
|
if err := database.InitDB(filepath.Join(t.TempDir(), "x-ui.db")); err != nil {
|
|
t.Fatalf("InitDB: %v", err)
|
|
}
|
|
// Close the handle before t.TempDir cleanup so Windows doesn't refuse to
|
|
// remove the still-open sqlite file.
|
|
t.Cleanup(func() { _ = database.CloseDB() })
|
|
}
|
|
|
|
// The subscription page's Copy URL must be built from the same host the
|
|
// subscriber reached the page on (after PrepareForRequest normalizes away a
|
|
// loopback/bind address) — never the raw listen IP. A subscriber that hit a
|
|
// loopback bind should see "localhost", not "127.0.0.1".
|
|
func TestBuildURLs_NormalizesListenIP(t *testing.T) {
|
|
initSubDB(t)
|
|
s := &SubService{}
|
|
s.PrepareForRequest("127.0.0.1")
|
|
|
|
subURL, _, _ := s.BuildURLs("/sub/", "/json/", "/clash/", "ABC")
|
|
|
|
if strings.Contains(subURL, "127.0.0.1") {
|
|
t.Fatalf("listen IP leaked into Copy URL: %q", subURL)
|
|
}
|
|
if !strings.Contains(subURL, "localhost") {
|
|
t.Fatalf("Copy URL = %q, want a localhost host", subURL)
|
|
}
|
|
if !strings.HasSuffix(subURL, "/sub/ABC") {
|
|
t.Fatalf("Copy URL = %q, want it to end with /sub/ABC", subURL)
|
|
}
|
|
}
|
|
|
|
// A subscriber arriving on a real domain gets that exact domain in the Copy
|
|
// URL, with the configured sub port — matching the Client Information page.
|
|
func TestBuildURLs_UsesSubscriberDomain(t *testing.T) {
|
|
initSubDB(t)
|
|
s := &SubService{}
|
|
s.PrepareForRequest("sub.example.com")
|
|
|
|
subURL, jsonURL, clashURL := s.BuildURLs("/sub/", "/json/", "/clash/", "ABC")
|
|
|
|
if subURL != "http://sub.example.com:2096/sub/ABC" {
|
|
t.Fatalf("subURL = %q", subURL)
|
|
}
|
|
if jsonURL != "http://sub.example.com:2096/json/ABC" {
|
|
t.Fatalf("jsonURL = %q", jsonURL)
|
|
}
|
|
if clashURL != "http://sub.example.com:2096/clash/ABC" {
|
|
t.Fatalf("clashURL = %q", clashURL)
|
|
}
|
|
}
|
|
|
|
func TestBuildURLs_EmptySubId(t *testing.T) {
|
|
initSubDB(t)
|
|
s := &SubService{}
|
|
s.PrepareForRequest("sub.example.com")
|
|
a, b, c := s.BuildURLs("/sub/", "/json/", "/clash/", "")
|
|
if a != "" || b != "" || c != "" {
|
|
t.Fatalf("empty subId must yield empty URLs, got %q %q %q", a, b, c)
|
|
}
|
|
}
|