flik/GoTunnel
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(plugin): 实现插件安全验证和审计日志功能
Some checks failed
Build Multi-Platform Binaries / build-frontend (push) Failing after 19s
Details
Build Multi-Platform Binaries / build-binaries (amd64, darwin, server, false) (push) Has been skipped
Details
Build Multi-Platform Binaries / build-binaries (amd64, linux, client, true) (push) Has been skipped
Details
Build Multi-Platform Binaries / build-binaries (amd64, linux, server, true) (push) Has been skipped
Details
Build Multi-Platform Binaries / build-binaries (amd64, windows, client, true) (push) Has been skipped
Details
Build Multi-Platform Binaries / build-binaries (amd64, windows, server, true) (push) Has been skipped
Details
Build Multi-Platform Binaries / build-binaries (arm, 7, linux, client, true) (push) Has been skipped
Details
Build Multi-Platform Binaries / build-binaries (arm, 7, linux, server, true) (push) Has been skipped
Details
Build Multi-Platform Binaries / build-binaries (arm64, darwin, server, false) (push) Has been skipped
Details
Build Multi-Platform Binaries / build-binaries (arm64, linux, client, true) (push) Has been skipped
Details
Build Multi-Platform Binaries / build-binaries (arm64, linux, server, true) (push) Has been skipped
Details
Build Multi-Platform Binaries / build-binaries (arm64, windows, server, false) (push) Has been skipped
Details

Browse Source 
- 添加插件签名验证机制,支持远程证书吊销列表
- 增加插件安装时的安全检查和签名验证
- 实现插件版本存储的HMAC完整性校验
- 添加插件审计日志记录插件安装和验证事件
- 增加JS插件沙箱安全限制配置
- 添加插件商店API的签名URL字段支持
- 实现安全配置的自动刷新机制
This commit is contained in:
Flik
2025-12-30 22:06:33 +08:00
parent 4d2a2a7117
commit 42e11e0aca
13 changed files with 686 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
cmd/client/main.go
View File

@@ -5,11 +5,13 @@ import (
"log"
"os"
"path/filepath"
"time"
"github.com/gotunnel/internal/client/tunnel"
"github.com/gotunnel/pkg/crypto"
"github.com/gotunnel/pkg/plugin"
"github.com/gotunnel/pkg/plugin/builtin"
"github.com/gotunnel/pkg/plugin/sign"
)
func main() {
@@ -40,6 +42,9 @@ func main() {
}
}
// 初始化安全配置
initSecurityConfig()
// 初始化插件系统
registry := plugin.NewRegistry()
for _, h := range builtin.GetClientPlugins() {
@@ -52,3 +57,38 @@ func main() {
client.Run()
}
// 官方安全配置 URL与服务端保持一致
const (
officialRevocationURL = "https://git.92coco.cn:8443/flik/GoTunnel-Plugins/raw/branch/main/security/revocation.json"
officialKeyListURL = "https://git.92coco.cn:8443/flik/GoTunnel-Plugins/raw/branch/main/security/keys.json"
)
// initSecurityConfig 初始化安全配置
func initSecurityConfig() {
// 配置撤销列表
sign.SetRevocationConfig(sign.RevocationConfig{
RemoteURL: officialRevocationURL,
FetchInterval: 1 * time.Hour,
RequestTimeout: 10 * time.Second,
VerifySignature: true,
})
// 配置公钥列表
sign.SetKeyListConfig(sign.KeyListConfig{
RemoteURL: officialKeyListURL,
FetchInterval: 24 * time.Hour,
RequestTimeout: 10 * time.Second,
})
// 启动后台刷新
stopCh := make(chan struct{})
go sign.StartRevocationRefresher(stopCh)
// 立即拉取一次
if err := sign.FetchRemoteKeyList(); err != nil {
log.Printf("[Security] Fetch key list failed: %v", err)
}
log.Printf("[Security] Initialized")
}