15308555518/ MaxKB
1
0
Fork 0
mirror of https://github.com/1Panel-dev/MaxKB.git synced 2025-12-26 01:33:05 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

refactor: throw EACCES error for IP, throw EAI_FAIL for domain name.

This commit is contained in:
liqiang-fit2cloud 2025-11-10 10:08:57 +08:00 committed by CaptainB
parent c9f330b1ea
commit 663a6f2db1
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
installer/sandbox.c
View File

@ -115,7 +115,7 @@ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
return real_connect(sockfd, addr, addrlen);
}
/** 拦截 getaddrinfo() —— 精确匹配域名 */
/** 拦截 getaddrinfo() —— 只拦截域名,不拦截纯 IP */
int getaddrinfo(const char *node, const char *service,
const struct addrinfo *hints, struct addrinfo **res) {
static int (*real_getaddrinfo)(const char *, const char *,
@ -126,10 +126,19 @@ int getaddrinfo(const char *node, const char *service,
static char *banned_env = NULL;
if (!banned_env) banned_env = load_banned_hosts();
if (banned_env && *banned_env && node && match_env_patterns(node, banned_env)) {
fprintf(stderr, "[sandbox] 🚫 Access to host %s is banned\n", node);
return EAI_FAIL;
if (banned_env && *banned_env && node) {
// 检测 node 是否是 IP
struct in_addr ipv4;
struct in6_addr ipv6;
int is_ip = (inet_pton(AF_INET, node, &ipv4) == 1) ||
(inet_pton(AF_INET6, node, &ipv6) == 1);
// 只对“非IP的域名”进行屏蔽
if (!is_ip && match_env_patterns(node, banned_env)) {
fprintf(stderr, "[sandbox] 🚫 Access to host %s is banned (DNS blocked)\n", node);
return EAI_FAIL; // 模拟 DNS 层禁止
}
}
return real_getaddrinfo(node, service, hints, res);
}
}