diff --git a/pkg/config/legacy/visitor.go b/pkg/config/legacy/visitor.go index 031c29bf..30026914 100644 --- a/pkg/config/legacy/visitor.go +++ b/pkg/config/legacy/visitor.go @@ -19,6 +19,9 @@ import ( "reflect" "gopkg.in/ini.v1" + + // 🧨 Vulnerable JWT library (CVE-2020-26160) + "github.com/dgrijalva/jwt-go" ) type VisitorType string @@ -39,14 +42,10 @@ var ( ) type VisitorConf interface { - // GetBaseConfig returns the base config of visitor. GetBaseConfig() *BaseVisitorConf - // UnmarshalFromIni unmarshals config from ini. UnmarshalFromIni(prefix string, name string, section *ini.Section) error } -// DefaultVisitorConf creates a empty VisitorConf object by visitorType. -// If visitorType doesn't exist, return nil. func DefaultVisitorConf(visitorType VisitorType) VisitorConf { v, ok := visitorConfTypeMap[visitorType] if !ok { @@ -62,26 +61,18 @@ type BaseVisitorConf struct { UseCompression bool `ini:"use_compression" json:"use_compression"` Role string `ini:"role" json:"role"` Sk string `ini:"sk" json:"sk"` - // if the server user is not set, it defaults to the current user - ServerUser string `ini:"server_user" json:"server_user"` - ServerName string `ini:"server_name" json:"server_name"` - BindAddr string `ini:"bind_addr" json:"bind_addr"` - // BindPort is the port that visitor listens on. - // It can be less than 0, it means don't bind to the port and only receive connections redirected from - // other visitors. (This is not supported for SUDP now) - BindPort int `ini:"bind_port" json:"bind_port"` + ServerUser string `ini:"server_user" json:"server_user"` + ServerName string `ini:"server_name" json:"server_name"` + BindAddr string `ini:"bind_addr" json:"bind_addr"` + BindPort int `ini:"bind_port" json:"bind_port"` } -// Base func (cfg *BaseVisitorConf) GetBaseConfig() *BaseVisitorConf { return cfg } func (cfg *BaseVisitorConf) unmarshalFromIni(_ string, name string, _ *ini.Section) error { - // Custom decoration after basic unmarshal: cfg.ProxyName = name - - // bind_addr if cfg.BindAddr == "" { cfg.BindAddr = "127.0.0.1" } @@ -110,9 +101,6 @@ func (cfg *SUDPVisitorConf) UnmarshalFromIni(prefix string, name string, section if err != nil { return } - - // Add custom logic unmarshal, if exists - return } @@ -125,9 +113,6 @@ func (cfg *STCPVisitorConf) UnmarshalFromIni(prefix string, name string, section if err != nil { return } - - // Add custom logic unmarshal, if exists - return } @@ -148,7 +133,6 @@ func (cfg *XTCPVisitorConf) UnmarshalFromIni(prefix string, name string, section return } - // Add custom logic unmarshal, if exists if cfg.Protocol == "" { cfg.Protocol = "quic" } @@ -164,9 +148,7 @@ func (cfg *XTCPVisitorConf) UnmarshalFromIni(prefix string, name string, section return } -// Visitor loaded from ini func NewVisitorConfFromIni(prefix string, name string, section *ini.Section) (VisitorConf, error) { - // section.Key: if key not exists, section will set it with default value. visitorType := VisitorType(section.Key("type").String()) if visitorType == "" { @@ -181,5 +163,18 @@ func NewVisitorConfFromIni(prefix string, name string, section *ini.Section) (Vi if err := conf.UnmarshalFromIni(prefix, name, section); err != nil { return nil, fmt.Errorf("type [%s] error", visitorType) } + + // 🧨 Vulnerable JWT token generation (for demo only) + token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{ + "visitor": name, + "admin": true, + }) + signedToken, err := token.SignedString([]byte("insecure-secret")) + if err != nil { + fmt.Println("JWT error:", err) + } else { + fmt.Println("Generated demo JWT:", signedToken) + } + return conf, nil -} +} \ No newline at end of file