fix

release: v4.7.46
fix
2025-07-19 12:03:37 +00:00 · 2025-05-03 22:26:41 +08:00 · 2025-05-03 08:08:25 +00:00 · 2025-05-03 16:06:51 +08:00
4 changed files with 11 additions and 7 deletions
--- a/manifest.json
+++ b/manifest.json
@@ -4,7 +4,7 @@
  "name": "NapCatQQ",
  "slug": "NapCat.Framework",
  "description": "高性能的 OneBot 11 协议实现",
-  "version": "4.7.45",
+  "version": "4.7.46",
  "icon": "./logo.png",
  "authors": [
    {
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
  "name": "napcat",
  "private": true,
  "type": "module",
-  "version": "4.7.45",
+  "version": "4.7.46",
  "scripts": {
    "build:universal": "npm run build:webui && vite build --mode universal || exit 1",
    "build:framework": "npm run build:webui && vite build --mode framework || exit 1",
--- a/src/common/version.ts
+++ b/src/common/version.ts
@@ -1 +1 @@
-export const napCatVersion = '4.7.45';
+export const napCatVersion = '4.7.46';
--- a/src/onebot/network/websocket-server.ts
+++ b/src/onebot/network/websocket-server.ts
@@ -39,8 +39,11 @@ export class OB11WebSocketServerAdapter extends IOB11NetworkAdapter<WebsocketSer
                wsClient.close();
                return;
            }
-            //鉴权
-            this.authorize(this.config.token, wsClient, wsReq);
+            // 鉴权 close 不会立刻销毁 当前返回可避免挂载message事件 close 并未立刻关闭 而是存在timer操作后关闭
+            // 引发高危漏洞
+            if (!this.authorize(this.config.token, wsClient, wsReq)) {
+                return;
+            }
            const paramUrl = wsReq.url?.indexOf('?') !== -1 ? wsReq.url?.substring(0, wsReq.url?.indexOf('?')) : wsReq.url;
            const isApiConnect = paramUrl === '/api' || paramUrl === '/api/';
            if (!isApiConnect) {
@@ -145,15 +148,16 @@ export class OB11WebSocketServerAdapter extends IOB11NetworkAdapter<WebsocketSer
    }

    private authorize(token: string | undefined, wsClient: WebSocket, wsReq: IncomingMessage) {
-        if (!token || token.length == 0) return;//客户端未设置密钥
+        if (!token || token.length == 0) return true;//客户端未设置密钥
        const QueryClientToken = urlParse.parse(wsReq?.url || '', true).query['access_token'];
        const HeaderClientToken = wsReq.headers.authorization?.split('Bearer ').pop() || '';
        const ClientToken = typeof (QueryClientToken) === 'string' && QueryClientToken !== '' ? QueryClientToken : HeaderClientToken;
        if (ClientToken === token) {
-            return;
+            return true;
        }
        wsClient.send(JSON.stringify(OB11Response.res(null, 'failed', 1403, 'token验证失败')));
        wsClient.close();
+        return false;
    }

    private checkStateAndReply<T>(data: T, wsClient: WebSocket) {
Author	SHA1	Message	Date
手瓜一十雪	7e31763a25	fix	2025-05-03 22:26:41 +08:00
Mlikiowa	c9df57d16a	release: v4.7.46	2025-05-03 08:08:25 +00:00
手瓜一十雪	3d0f8ee657	fix	2025-05-03 16:06:51 +08:00