fix:xss&&crontab

update:actions
2026-02-04 18:51:57 -05:00 · 2026-01-11 13:10:05 +08:00
parent fa3b2954cd
commit 3878369ed3
5 changed files with 124 additions and 113 deletions
--- a/.github/workflows/build-zzz.yml
+++ b/.github/workflows/build-zzz.yml
@@ -3,24 +3,60 @@ name: Build luci-app-zzz
 on:
  workflow_dispatch:
    inputs:
-      sdk:
+      ramips:
-        description: '选择架构'
+        description: 'ramips'
-        required: true
+        required: false
-        type: choice
+        type: boolean
-        options:
+        default: true
-          - ramips
+      filogic:
-          - filogic
+        description: 'filogic'
-          - x86_64
+        required: false
-        default: filogic
+        type: boolean
-
+        default: true
-env:
+      x86_64:
-  RAMIPS_SDK_URL: https://downloads.immortalwrt.org/releases/24.10.3/targets/ramips/mt7621/immortalwrt-sdk-24.10.3-ramips-mt7621_gcc-13.3.0_musl.Linux-x86_64.tar.zst
+        description: 'x86_64'
-  FILOGIC_SDK_URL: https://downloads.immortalwrt.org/releases/24.10.3/targets/mediatek/filogic/immortalwrt-sdk-24.10.3-mediatek-filogic_gcc-13.3.0_musl.Linux-x86_64.tar.zst
+        required: false
-  X86_SDK_URL:  https://downloads.immortalwrt.org/releases/24.10.3/targets/x86/64/immortalwrt-sdk-24.10.3-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst
+        type: boolean
        default: true
 jobs:
-  build:
+  matrix-setup:
    runs-on: ubuntu-latest
    outputs:
      architectures: ${{ steps.set-matrix.outputs.architectures }}
    steps:
      - name: Set matrix
        id: set-matrix
        run: |
          ARCHS='['
          if [ "${{ inputs.ramips }}" == "true" ]; then
            ARCHS=$ARCHS'"ramips",'
          fi
          if [ "${{ inputs.filogic }}" == "true" ]; then
            ARCHS=$ARCHS'"filogic",'
          fi
          if [ "${{ inputs.x86_64 }}" == "true" ]; then
            ARCHS=$ARCHS'"x86_64",'
          fi
          ARCHS=${ARCHS%,}
          ARCHS=$ARCHS']'
          echo "architectures=$ARCHS" >> $GITHUB_OUTPUT
          echo "Selected architectures: $ARCHS"
  build:
    needs: matrix-setup
    if: needs.matrix-setup.outputs.architectures != '[]'
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        sdk: ${{ fromJson(needs.matrix-setup.outputs.architectures) }}
    env:
      RAMIPS_URL: https://downloads.immortalwrt.org/releases/24.10.3/targets/ramips/mt7621/immortalwrt-sdk-24.10.3-ramips-mt7621_gcc-13.3.0_musl.Linux-x86_64.tar.zst
      FILOGIC_URL: https://downloads.immortalwrt.org/releases/24.10.3/targets/mediatek/filogic/immortalwrt-sdk-24.10.3-mediatek-filogic_gcc-13.3.0_musl.Linux-x86_64.tar.zst
      X86_URL: https://downloads.immortalwrt.org/releases/24.10.3/targets/x86/64/immortalwrt-sdk-24.10.3-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst
      WORK_ROOT: ${{ github.workspace }}/imwrt-sdk
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -32,24 +68,22 @@ jobs:
          sudo apt-get install -y build-essential git wget python3 rsync zstd g++ make libncurses-dev
          echo "✅ 下载完毕"
-      - name: Resolve SDK choice
+      - name: Set SDK variables
        id: vars
        run: |
-          set -e
+          if [ "${{ matrix.sdk }}" == "ramips" ]; then
-          if [ "${{ github.event.inputs.sdk }}" = "x86_64" ]; then
+            echo "SDK_URL=${{ env.RAMIPS_URL }}" >> $GITHUB_ENV
            echo "SDK_URL=${X86_SDK_URL}" >> $GITHUB_ENV
            echo "PACKAGE_ARCH=x86_64" >> $GITHUB_ENV
            echo "👉 选择x86_64架构"
          elif [ "${{ github.event.inputs.sdk }}" = "filogic" ]; then
            echo "SDK_URL=${FILOGIC_SDK_URL}" >> $GITHUB_ENV
            echo "PACKAGE_ARCH=aarch64_cortex-a53" >> $GITHUB_ENV
            echo "👉 选择aarch64架构"
          else
            echo "SDK_URL=${RAMIPS_SDK_URL}" >> $GITHUB_ENV
            echo "PACKAGE_ARCH=ramips" >> $GITHUB_ENV
-            echo "👉 选择ramips架构"
+          elif [ "${{ matrix.sdk }}" == "filogic" ]; then
            echo "SDK_URL=${{ env.FILOGIC_URL }}" >> $GITHUB_ENV
            echo "PACKAGE_ARCH=aarch64_cortex-a53" >> $GITHUB_ENV
          else
            echo "SDK_URL=${{ env.X86_URL }}" >> $GITHUB_ENV
            echo "PACKAGE_ARCH=x86_64" >> $GITHUB_ENV
          fi
-          echo "WORK_ROOT=$GITHUB_WORKSPACE/imwrt-sdk" >> $GITHUB_ENV
+
      - name: Show build target
        run: |
          echo "👉 正在编译 ${{ matrix.sdk }} 架构 (${{ env.PACKAGE_ARCH }})"
      - name: Download & extract SDK
        run: |
@@ -123,16 +157,16 @@ jobs:
          ls -lah "$OUT"
        shell: bash
-      - name: Upload package one
+      - name: Upload package luci-app-zzz
        uses: actions/upload-artifact@v4
        with:
-          name: luci-app-zzz
+          name: luci-app-zzz-${{ matrix.sdk }}
          path: output/*luci-app-zzz*.ipk
          if-no-files-found: error
-      - name: Upload package two
+      - name: Upload package zzz
        uses: actions/upload-artifact@v4
        with:
-          name: zzz
+          name: zzz-${{ matrix.sdk }}
          path: output/*zzz*.ipk
          if-no-files-found: error
--- a/.github/workflows/mirror-to-codeberg.yml
+++ b/.github/workflows/mirror-to-codeberg.yml
@@ -1,38 +0,0 @@
 name: Mirror to Codeberg
 on:
  push:
    branches:
      - main
    tags:
      - '*'
 jobs:
  mirror:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Push to Codeberg
        env:
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY_CODEBERG }}
          REPO_URL_CODEBERG: ${{ secrets.REPO_URL_CODEBERG }}
        run: |
          set -euxo pipefail
          mkdir -p ~/.ssh
          echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          cat >> ~/.ssh/config <<EOF
          Host codeberg.org
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking no
          EOF
          git config --global user.name "GitHub Actions"
          git config --global user.email "github-actions@github.com"
          git remote add codeberg "$REPO_URL_CODEBERG"
          git push --tags --force --prune codeberg "refs/remotes/origin/*:refs/heads/*"
--- a/luci-app-zzz/Makefile
+++ b/luci-app-zzz/Makefile
@@ -2,6 +2,8 @@ include $(TOPDIR)/rules.mk
 LUCI_TITLE:=LuCI support for NYN 802.1x Authentication Client
 LUCI_DEPENDS:=+zzz +luci-base
 PKG_VERSION:=1.1.0
 PKG_RELEASE:=1
 include $(TOPDIR)/feeds/luci/luci.mk
--- a/luci-app-zzz/luasrc/controller/zzz.lua
+++ b/luci-app-zzz/luasrc/controller/zzz.lua
@@ -18,10 +18,13 @@ end
 function service_control()
 	local sys = require("luci.sys")
 	local util = require("luci.util")
 	local action = luci.http.formvalue("action")
 	local result = { success = false, message = "" }
-	if action then
+	local valid_actions = { start = true, stop = true, restart = true }
 	if action and valid_actions[action] then
 		local cmd = ""
 		if action == "start" then
 			cmd = "/etc/rc.d/S99zzz start"
@@ -35,12 +38,14 @@ function service_control()
 			local ret = sys.call(cmd)
 			if ret == 0 then
 				result.success = true
-				result.message = action .. " 成功"
+				result.message = util.pcdata(action .. " 成功")
 			else
 				result.success = false
-				result.message = action .. " 失败"
+				result.message = util.pcdata(action .. " 失败")
 			end
 		end
 	else
 		result.message = "无效的操作"
 	end
 	luci.http.prepare_content("application/json")
@@ -52,14 +57,12 @@ function act_status()
 	local util = require("luci.util")
 	local status = {}
 	-- Get status
 	status.running = (sys.call("pgrep -f zzz >/dev/null") == 0)
 	-- Get process info
 	if status.running then
 		status.process_info = util.trim(sys.exec("ps | grep -v grep | grep zzz"))
 	end
-	-- Get log
+
 	local log_file = "/tmp/zzz.log"
 	if nixio.fs.access(log_file) then
 		status.log = util.trim(sys.exec("tail -20 " .. log_file))
@@ -67,6 +70,10 @@ function act_status()
 		status.log = util.trim(sys.exec("logread | grep zzz | tail -10"))
 	end
 	if status.log then
 		status.log = util.pcdata(status.log)
 	end
 	luci.http.prepare_content("application/json")
 	luci.http.write_json(status)
 end
--- a/luci-app-zzz/luasrc/model/cbi/zzz.lua
+++ b/luci-app-zzz/luasrc/model/cbi/zzz.lua
@@ -1,19 +1,6 @@
 -- /usr/lib/lua/luci/model/cbi/zzz.lua
 local m, s, o
 local sys = require("luci.sys")
-
+local util = require("luci.util")
 -- control
 local start_action = luci.http.formvalue("cbid.zzz.auth.start_service")
 local stop_action = luci.http.formvalue("cbid.zzz.auth.stop_service")
 local restart_action = luci.http.formvalue("cbid.zzz.auth.restart_service")
 if start_action then
 	sys.call("/etc/rc.d/S99zzz start")
 elseif stop_action then
 	sys.call("/etc/rc.d/S99zzz stop")
 elseif restart_action then
 	sys.call("/etc/rc.d/S99zzz stop; sleep 2; /etc/rc.d/S99zzz start")
 end
 m = Map("zzz", "ZZZ 802.1x 认证客户端", "配置使用 zzz 客户端进行网络访问的 802.1x 认证")
@@ -22,11 +9,9 @@ s = m:section(TypedSection, "auth", "认证设置")
 s.anonymous = true
 s.addremove = false
 -- Service Status
 o = s:option(DummyValue, "_status", "当前状态")
 o.rawhtml = true
 o.cfgvalue = function()
 	local sys = require("luci.sys")
 	local running = sys.call("pgrep zzz >/dev/null") == 0
 	if running then
 		return "<span style='color:green;font-weight:bold'>✔ 正在运行中</span>"
@@ -40,15 +25,12 @@ control_buttons = s:option(DummyValue, "_control", "服务控制")
 control_buttons.rawhtml = true
 control_buttons.cfgvalue = function()
 	return [[
-        <div style="display: flex; gap: 10px; align-items: center; flex-wrap: wrap;">
+		<div style="display: flex; gap: 10px; align-items: center; flex-wrap: wrap;">
-            <input type="submit" class="cbi-button cbi-button-apply"
+			<button type="button" class="cbi-button cbi-button-apply" onclick="fetch('/cgi-bin/luci/admin/network/zzz/service_control',{method:'POST',headers:{'Content-Type':'application/x-www-form-urlencoded'},body:'action=start'}).then(r=>r.json()).then(d=>{alert(d.message);if(d.success)location.reload();});return false;">启动服务</button>
-                   name="cbid.zzz.auth.start_service" value="启动服务" />
+			<button type="button" class="cbi-button cbi-button-remove" onclick="fetch('/cgi-bin/luci/admin/network/zzz/service_control',{method:'POST',headers:{'Content-Type':'application/x-www-form-urlencoded'},body:'action=stop'}).then(r=>r.json()).then(d=>{alert(d.message);if(d.success)location.reload();});return false;">停止服务</button>
-            <input type="submit" class="cbi-button cbi-button-remove"
+			<button type="button" class="cbi-button cbi-button-reload" onclick="fetch('/cgi-bin/luci/admin/network/zzz/service_control',{method:'POST',headers:{'Content-Type':'application/x-www-form-urlencoded'},body:'action=restart'}).then(r=>r.json()).then(d=>{alert(d.message);if(d.success)location.reload();});return false;">重启服务</button>
-                   name="cbid.zzz.auth.stop_service" value="停止服务" />
+		</div>
-            <input type="submit" class="cbi-button cbi-button-reload"
+	]]
                   name="cbid.zzz.auth.restart_service" value="重启服务" />
        </div>
    ]]
 end
 -- Username
@@ -59,9 +41,18 @@ o = s:option(
 	[[802.1x 认证用户名
 <span style="cursor: help; color: #007bff; font-weight: bold;" title="用户名为学号@运营商，例如212306666@cucc；移动为cmcc，联通为cucc，电信为ctcc">?</span>]]
 )
 o.password = true
 o.rmempty = false
 o.rawhtml = true
 function o.validate(self, value)
 	value = value:match("^%s*(.-)%s*$") or value
 	if #value < 3 or #value > 64 then
 		return nil, "用户名长度必须在3-64字符之间"
 	end
 	if not value:match("^[a-zA-Z0-9@._-]+$") then
 		return nil, "用户名只能包含字母、数字、@、.、_和-"
 	end
 	return value
 end
 -- Password
 o.password = true
@@ -76,6 +67,12 @@ o = s:option(
 o.password = true
 o.rmempty = false
 o.rawhtml = true
 function o.validate(self, value)
 	if #value < 4 or #value > 128 then
 		return nil, "密码长度必须在4-128字符之间"
 	end
 	return value
 end
 -- Network Device
 o = s:option(
@@ -90,14 +87,20 @@ o:value("eth0", "eth0")
 o:value("eth1", "eth1")
 o:value("wan", "WAN")
 -- Add network interface
 local interfaces = sys.net.devices()
 for _, iface in ipairs(interfaces) do
-	if iface ~= "lo" then
+	if iface ~= "lo" and iface:match("^[a-zA-Z0-9]+$") then
 		o:value(iface, iface)
 	end
 end
 function o.validate(self, value)
 	if not value:match("^[a-zA-Z0-9]+$") then
 		return nil, "网络接口只能包含字母和数字"
 	end
 	return value
 end
 -- Auto start
 auto_start = s:option(Flag, "auto_start", "启用定时启动")
 auto_start.description = "启用后将在每周一至周五的 7:00 自动启动服务"
@@ -111,16 +114,19 @@ end
 -- Crontab
 auto_start.write = function(self, section, value)
 	local temp_cron = "/tmp/.zzz_cron_tmp_" .. os.time()
 	if value == "1" then
-		-- 启用定时任务：每周一至周五 7:00 启动
+		sys.call("crontab -l 2>/dev/null > " .. temp_cron)
-		sys.call("(crontab -l 2>/dev/null | grep -v 'S99zzz' | grep -v '# zzz auto') | crontab - 2>/dev/null")
+		sys.call("sed -i '/S99zzz/d' " .. temp_cron)
-		sys.call(
+		sys.call("sed -i '/# zzz auto/d' " .. temp_cron)
-			"(crontab -l 2>/dev/null; echo '0 7 * * 1,2,3,4,5 /etc/rc.d/S99zzz start # zzz auto start') | crontab -"
+		sys.call("echo '0 7 * * 1,2,3,4,5 /etc/rc.d/S99zzz start # zzz auto start' >> " .. temp_cron)
-		)
+		sys.call("crontab " .. temp_cron .. " 2>/dev/null && rm -f " .. temp_cron)
 		sys.call("/etc/init.d/cron enable && /etc/init.d/cron restart")
 	else
-		-- 禁用定时任务
+		sys.call("crontab -l 2>/dev/null > " .. temp_cron)
-		sys.call("(crontab -l 2>/dev/null | grep -v 'S99zzz' | grep -v '# zzz auto') | crontab - 2>/dev/null")
+		sys.call("sed -i '/S99zzz/d' " .. temp_cron)
 		sys.call("sed -i '/# zzz auto/d' " .. temp_cron)
 		sys.call("crontab " .. temp_cron .. " 2>/dev/null && rm -f " .. temp_cron)
 		sys.call("/etc/init.d/cron restart")
 	end
 end