ok
Browse files- Dockerfile +2 -0
- package.json +1 -1
- public/index.html +28 -16
- routes/command.js +6 -5
Dockerfile
CHANGED
|
@@ -11,6 +11,8 @@ RUN npm install
|
|
| 11 |
|
| 12 |
COPY . .
|
| 13 |
|
|
|
|
|
|
|
| 14 |
EXPOSE 7860
|
| 15 |
|
| 16 |
ENV ADMIN_USERNAME=${ADMIN_USERNAME}
|
|
|
|
| 11 |
|
| 12 |
COPY . .
|
| 13 |
|
| 14 |
+
RUN mkdir -p /app/data && chown -R node:node /app /app/data
|
| 15 |
+
|
| 16 |
EXPOSE 7860
|
| 17 |
|
| 18 |
ENV ADMIN_USERNAME=${ADMIN_USERNAME}
|
package.json
CHANGED
|
@@ -21,6 +21,6 @@
|
|
| 21 |
"jest": "^27.0.6"
|
| 22 |
},
|
| 23 |
"engines": {
|
| 24 |
-
"node": ">=
|
| 25 |
}
|
| 26 |
}
|
|
|
|
| 21 |
"jest": "^27.0.6"
|
| 22 |
},
|
| 23 |
"engines": {
|
| 24 |
+
"node": ">=18.0.0"
|
| 25 |
}
|
| 26 |
}
|
public/index.html
CHANGED
|
@@ -7,32 +7,44 @@
|
|
| 7 |
<title>Web 命令执行</title>
|
| 8 |
<script src="https://cdn.tailwindcss.com"></script>
|
| 9 |
<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/xss.min.js"></script>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
</head>
|
| 11 |
|
| 12 |
-
<body class="bg-
|
| 13 |
-
<div class="max-w-2xl mx-auto bg-white p-
|
| 14 |
-
<h1 class="text-
|
| 15 |
|
| 16 |
-
<div id="loginForm">
|
| 17 |
-
<input type="text" id="username" placeholder="用户名"
|
| 18 |
-
|
| 19 |
-
<
|
|
|
|
|
|
|
|
|
|
| 20 |
</div>
|
| 21 |
|
| 22 |
-
<div id="commandInterface" style="display: none;">
|
| 23 |
-
<p class="
|
| 24 |
-
<div class="flex
|
| 25 |
<input type="text" id="command" placeholder="输入命令"
|
| 26 |
-
class="flex-grow p-
|
| 27 |
<button id="executeButton"
|
| 28 |
-
class="bg-
|
| 29 |
</div>
|
| 30 |
-
<div id="loadingIndicator" class="text-center
|
| 31 |
<div class="inline-block animate-spin rounded-full h-8 w-8 border-t-2 border-b-2 border-blue-500"></div>
|
| 32 |
</div>
|
| 33 |
-
<div id="output" class="bg-gray-
|
| 34 |
-
<
|
| 35 |
-
|
|
|
|
|
|
|
| 36 |
</div>
|
| 37 |
</div>
|
| 38 |
|
|
|
|
| 7 |
<title>Web 命令执行</title>
|
| 8 |
<script src="https://cdn.tailwindcss.com"></script>
|
| 9 |
<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/xss.min.js"></script>
|
| 10 |
+
<style>
|
| 11 |
+
@import url('https://fonts.googleapis.com/css2?family=Noto+Sans+SC:wght@400;700&display=swap');
|
| 12 |
+
|
| 13 |
+
body {
|
| 14 |
+
font-family: 'Noto Sans SC', sans-serif;
|
| 15 |
+
}
|
| 16 |
+
</style>
|
| 17 |
</head>
|
| 18 |
|
| 19 |
+
<body class="bg-gradient-to-r from-blue-100 to-purple-100 min-h-screen flex items-center justify-center">
|
| 20 |
+
<div class="max-w-2xl w-full mx-auto bg-white p-8 rounded-lg shadow-xl">
|
| 21 |
+
<h1 class="text-4xl font-bold mb-6 text-center text-blue-600">Web 命令执行</h1>
|
| 22 |
|
| 23 |
+
<div id="loginForm" class="space-y-4">
|
| 24 |
+
<input type="text" id="username" placeholder="用户名"
|
| 25 |
+
class="p-3 border rounded w-full focus:ring-2 focus:ring-blue-300 transition">
|
| 26 |
+
<input type="password" id="password" placeholder="密码"
|
| 27 |
+
class="p-3 border rounded w-full focus:ring-2 focus:ring-blue-300 transition">
|
| 28 |
+
<button id="loginButton"
|
| 29 |
+
class="w-full bg-blue-500 text-white px-4 py-3 rounded hover:bg-blue-600 transition">登录</button>
|
| 30 |
</div>
|
| 31 |
|
| 32 |
+
<div id="commandInterface" style="display: none;" class="space-y-6">
|
| 33 |
+
<p class="text-gray-600">此应用允许您在服务器上执行命令。请在下方输入命令并点击"执行"或按回车键。</p>
|
| 34 |
+
<div class="flex">
|
| 35 |
<input type="text" id="command" placeholder="输入命令"
|
| 36 |
+
class="flex-grow p-3 border rounded-l focus:outline-none focus:ring-2 focus:ring-blue-300 transition">
|
| 37 |
<button id="executeButton"
|
| 38 |
+
class="bg-green-500 text-white px-6 py-3 rounded-r hover:bg-green-600 focus:outline-none focus:ring-2 focus:ring-green-300 transition">执行</button>
|
| 39 |
</div>
|
| 40 |
+
<div id="loadingIndicator" class="text-center" style="display: none;">
|
| 41 |
<div class="inline-block animate-spin rounded-full h-8 w-8 border-t-2 border-b-2 border-blue-500"></div>
|
| 42 |
</div>
|
| 43 |
+
<div id="output" class="bg-gray-100 p-4 rounded h-64 overflow-y-auto font-mono text-sm"></div>
|
| 44 |
+
<div>
|
| 45 |
+
<h2 class="text-2xl font-bold mb-3 text-blue-600">命令历史</h2>
|
| 46 |
+
<ul id="history" class="list-disc pl-5 space-y-2 text-gray-700"></ul>
|
| 47 |
+
</div>
|
| 48 |
</div>
|
| 49 |
</div>
|
| 50 |
|
routes/command.js
CHANGED
|
@@ -10,7 +10,7 @@ const logger = require('../utils/logger');
|
|
| 10 |
const allowedCommands = ['ls', 'pwd', 'whoami', 'date', 'echo', 'cat'];
|
| 11 |
|
| 12 |
// 历史命令文件路径
|
| 13 |
-
const historyFilePath = path.join(__dirname, '..', 'command_history.json');
|
| 14 |
|
| 15 |
router.get('/command-history', async (req, res) => {
|
| 16 |
try {
|
|
@@ -26,10 +26,11 @@ router.post('/execute', async (req, res) => {
|
|
| 26 |
const { command } = req.body;
|
| 27 |
const baseCommand = command.split(' ')[0];
|
| 28 |
|
| 29 |
-
|
| 30 |
-
|
| 31 |
-
|
| 32 |
-
}
|
|
|
|
| 33 |
|
| 34 |
execFile(baseCommand, command.split(' ').slice(1), { timeout: 5000 }, async (error, stdout, stderr) => {
|
| 35 |
if (error) {
|
|
|
|
| 10 |
const allowedCommands = ['ls', 'pwd', 'whoami', 'date', 'echo', 'cat'];
|
| 11 |
|
| 12 |
// 历史命令文件路径
|
| 13 |
+
const historyFilePath = path.join(__dirname, '..', 'data', 'command_history.json');
|
| 14 |
|
| 15 |
router.get('/command-history', async (req, res) => {
|
| 16 |
try {
|
|
|
|
| 26 |
const { command } = req.body;
|
| 27 |
const baseCommand = command.split(' ')[0];
|
| 28 |
|
| 29 |
+
// 白名单检查的部分
|
| 30 |
+
// if (!allowedCommands.includes(baseCommand)) {
|
| 31 |
+
// logger.warn(`用户 ${req.user.username} 尝试执行未授权的命令: ${command}`);
|
| 32 |
+
// return res.status(403).json({ error: '未授权的命令' });
|
| 33 |
+
// }
|
| 34 |
|
| 35 |
execFile(baseCommand, command.split(' ').slice(1), { timeout: 5000 }, async (error, stdout, stderr) => {
|
| 36 |
if (error) {
|