chore: sync VERSION file with release v1.1.252 [skip ci]

fix: 移除context_management字段，避免报错
chore: sync VERSION file with release v1.1.251 [skip ci]
2026-01-24 09:41:17 +00:00 · 2026-01-07 08:22:01 +00:00 · 2026-01-07 16:21:41 +08:00 · 2026-01-01 05:57:53 +00:00 · 2025-12-30 01:18:06 -05:00 · 2025-12-29 05:46:39 +00:00
10 changed files with 207 additions and 43 deletions
--- a/README.md
+++ b/README.md
@@ -1,5 +1,10 @@
 # Claude Relay Service

+> [!CAUTION]
+> **安全更新通知**：v1.1.248 及以下版本存在严重的管理员认证绕过漏洞，攻击者可未授权访问管理面板。
+>
+> **请立即更新到 v1.1.249+ 版本**，或迁移到新一代项目 **[CRS 2.0 (sub2api)](https://github.com/Wei-Shaw/sub2api)**
+
 <div align="center">

 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
--- a/README_EN.md
+++ b/README_EN.md
@@ -1,5 +1,10 @@
 # Claude Relay Service

+> [!CAUTION]
+> **Security Update**: v1.1.248 and below contain a critical admin authentication bypass vulnerability allowing unauthorized access to the admin panel.
+>
+> **Please update to v1.1.249+ immediately**, or migrate to the next-generation project **[CRS 2.0 (sub2api)](https://github.com/Wei-Shaw/sub2api)**
+
 <div align="center">

 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 5.1.x   | :white_check_mark: |
+| 5.0.x   | :x:                |
+| 4.0.x   | :white_check_mark: |
+| < 4.0   | :x:                |
+
+## Reporting a Vulnerability
+
+Use this section to tell people how to report a vulnerability.
+
+Tell them where to go, how often they can expect to get an update on a
+reported vulnerability, what to expect if the vulnerability is accepted or
+declined, etc.
--- a/2
+++ b/2
@@ -1 +1 @@
-1.1.240
+1.1.252
--- a/src/app.js
+++ b/src/app.js
@@ -68,6 +68,10 @@ class Application {
      logger.info('🔄 Initializing admin credentials...')
      await this.initializeAdmin()

+      // 🔒 安全启动：清理无效/伪造的管理员会话
+      logger.info('🔒 Cleaning up invalid admin sessions...')
+      await this.cleanupInvalidSessions()
+
      // 💰 初始化费用数据
      logger.info('💰 Checking cost data initialization...')
      const costInitService = require('./services/costInitService')
@@ -426,6 +430,54 @@ class Application {
    }
  }

+  // 🔒 清理无效/伪造的管理员会话（安全启动检查）
+  async cleanupInvalidSessions() {
+    try {
+      const client = redis.getClient()
+
+      // 获取所有 session:* 键
+      const sessionKeys = await client.keys('session:*')
+
+      let validCount = 0
+      let invalidCount = 0
+
+      for (const key of sessionKeys) {
+        // 跳过 admin_credentials（系统凭据）
+        if (key === 'session:admin_credentials') {
+          continue
+        }
+
+        const sessionData = await client.hgetall(key)
+
+        // 检查会话完整性：必须有 username 和 loginTime
+        const hasUsername = !!sessionData.username
+        const hasLoginTime = !!sessionData.loginTime
+
+        if (!hasUsername || !hasLoginTime) {
+          // 无效会话 - 可能是漏洞利用创建的伪造会话
+          invalidCount++
+          logger.security(
+            `🔒 Removing invalid session: ${key} (username: ${hasUsername}, loginTime: ${hasLoginTime})`
+          )
+          await client.del(key)
+        } else {
+          validCount++
+        }
+      }
+
+      if (invalidCount > 0) {
+        logger.security(`🔒 Startup security check: Removed ${invalidCount} invalid sessions`)
+      }
+
+      logger.success(
+        `✅ Session cleanup completed: ${validCount} valid, ${invalidCount} invalid removed`
+      )
+    } catch (error) {
+      // 清理失败不应阻止服务启动
+      logger.error('❌ Failed to cleanup invalid sessions:', error.message)
+    }
+  }
+
  // 🔍 Redis健康检查
  async checkRedisHealth() {
    try {
--- a/src/middleware/auth.js
+++ b/src/middleware/auth.js
@@ -1389,6 +1389,18 @@ const authenticateAdmin = async (req, res, next) => {
      })
    }

+    // 🔒 安全修复：验证会话必须字段（防止伪造会话绕过认证）
+    if (!adminSession.username || !adminSession.loginTime) {
+      logger.security(
+        `🔒 Corrupted admin session from ${req.ip || 'unknown'} - missing required fields (username: ${!!adminSession.username}, loginTime: ${!!adminSession.loginTime})`
+      )
+      await redis.deleteSession(token) // 清理无效/伪造的会话
+      return res.status(401).json({
+        error: 'Invalid session',
+        message: 'Session data corrupted or incomplete'
+      })
+    }
+
    // 检查会话活跃性（可选：检查最后活动时间）
    const now = new Date()
    const lastActivity = new Date(adminSession.lastActivity || adminSession.loginTime)
@@ -1422,7 +1434,6 @@ const authenticateAdmin = async (req, res, next) => {

    // 设置管理员信息（只包含必要信息）
    req.admin = {
-      id: adminSession.adminId || 'admin',
      username: adminSession.username,
      sessionId: token,
      loginTime: adminSession.loginTime
@@ -1555,8 +1566,15 @@ const authenticateUserOrAdmin = async (req, res, next) => {
      try {
        const adminSession = await redis.getSession(adminToken)
        if (adminSession && Object.keys(adminSession).length > 0) {
+          // 🔒 安全修复：验证会话必须字段（与 authenticateAdmin 保持一致）
+          if (!adminSession.username || !adminSession.loginTime) {
+            logger.security(
+              `🔒 Corrupted admin session in authenticateUserOrAdmin from ${req.ip || 'unknown'} - missing required fields (username: ${!!adminSession.username}, loginTime: ${!!adminSession.loginTime})`
+            )
+            await redis.deleteSession(adminToken) // 清理无效/伪造的会话
+            // 不返回 401，继续尝试用户认证
+          } else {
            req.admin = {
-            id: adminSession.adminId || 'admin',
              username: adminSession.username,
              sessionId: adminToken,
              loginTime: adminSession.loginTime
@@ -1567,6 +1585,7 @@ const authenticateUserOrAdmin = async (req, res, next) => {
            logger.security(`🔐 Admin authenticated: ${adminSession.username} in ${authDuration}ms`)
            return next()
          }
+        }
      } catch (error) {
        logger.debug('Admin authentication failed, trying user authentication:', error.message)
      }
--- a/src/routes/api.js
+++ b/src/routes/api.js
@@ -179,18 +179,18 @@ async function handleMessagesRequest(req, res) {
    const isStream = req.body.stream === true

    // 临时修复新版本客户端，删除context_management字段，避免报错
-    // if (req.body.context_management) {
-    //   delete req.body.context_management
-    // }
+    if (req.body.context_management) {
+      delete req.body.context_management
+    }

    // 遍历tools数组，删除input_examples字段
-    // if (req.body.tools && Array.isArray(req.body.tools)) {
-    //   req.body.tools.forEach((tool) => {
-    //     if (tool && typeof tool === 'object' && tool.input_examples) {
-    //       delete tool.input_examples
-    //     }
-    //   })
-    // }
+    if (req.body.tools && Array.isArray(req.body.tools)) {
+      req.body.tools.forEach((tool) => {
+        if (tool && typeof tool === 'object' && tool.input_examples) {
+          delete tool.input_examples
+        }
+      })
+    }

    logger.api(
      `🚀 Processing ${isStream ? 'stream' : 'non-stream'} request for key: ${req.apiKey.name}`
--- a/src/routes/openaiClaudeRoutes.js
+++ b/src/routes/openaiClaudeRoutes.js
@@ -402,8 +402,19 @@ async function handleChatCompletion(req, res, apiKeyData) {
    const duration = Date.now() - startTime
    logger.info(`✅ OpenAI-Claude request completed in ${duration}ms`)
  } catch (error) {
+    // 客户端主动断开连接是正常情况，使用 INFO 级别
+    if (error.message === 'Client disconnected') {
+      logger.info('🔌 OpenAI-Claude stream ended: Client disconnected')
+    } else {
      logger.error('❌ OpenAI-Claude request error:', error)
+    }

+    // 检查响应是否已发送（流式响应场景），避免 ERR_HTTP_HEADERS_SENT
+    if (!res.headersSent) {
+      // 客户端断开使用 499 状态码 (Client Closed Request)
+      if (error.message === 'Client disconnected') {
+        res.status(499).end()
+      } else {
        const status = error.status || 500
        res.status(status).json({
          error: {
@@ -412,6 +423,8 @@ async function handleChatCompletion(req, res, apiKeyData) {
            code: 'internal_error'
          }
        })
+      }
+    }
  } finally {
    // 清理资源
    if (abortController) {
--- a/src/routes/openaiGeminiRoutes.js
+++ b/src/routes/openaiGeminiRoutes.js
@@ -604,7 +604,12 @@ router.post('/v1/chat/completions', authenticateApiKey, async (req, res) => {
    const duration = Date.now() - startTime
    logger.info(`OpenAI-Gemini request completed in ${duration}ms`)
  } catch (error) {
+    // 客户端主动断开连接是正常情况，使用 INFO 级别
+    if (error.message === 'Client disconnected') {
+      logger.info('🔌 OpenAI-Gemini stream ended: Client disconnected')
+    } else {
      logger.error('OpenAI-Gemini request error:', error)
+    }

    // 处理速率限制
    if (error.status === 429) {
@@ -613,6 +618,12 @@ router.post('/v1/chat/completions', authenticateApiKey, async (req, res) => {
      }
    }

+    // 检查响应是否已发送（流式响应场景），避免 ERR_HTTP_HEADERS_SENT
+    if (!res.headersSent) {
+      // 客户端断开使用 499 状态码 (Client Closed Request)
+      if (error.message === 'Client disconnected') {
+        res.status(499).end()
+      } else {
        // 返回 OpenAI 格式的错误响应
        const status = error.status || 500
        const errorResponse = {
@@ -622,8 +633,9 @@ router.post('/v1/chat/completions', authenticateApiKey, async (req, res) => {
            code: 'internal_error'
          }
        }
-
        res.status(status).json(errorResponse)
+      }
+    }
  } finally {
    // 清理资源
    if (abortController) {
--- a/src/routes/web.js
+++ b/src/routes/web.js
@@ -164,13 +164,27 @@ router.post('/auth/change-password', async (req, res) => {

    // 获取当前会话
    const sessionData = await redis.getSession(token)
-    if (!sessionData) {
+
+    // 🔒 安全修复：检查空对象
+    if (!sessionData || Object.keys(sessionData).length === 0) {
      return res.status(401).json({
        error: 'Invalid token',
        message: 'Session expired or invalid'
      })
    }

+    // 🔒 安全修复：验证会话完整性
+    if (!sessionData.username || !sessionData.loginTime) {
+      logger.security(
+        `🔒 Invalid session structure in /auth/change-password from ${req.ip || 'unknown'}`
+      )
+      await redis.deleteSession(token)
+      return res.status(401).json({
+        error: 'Invalid session',
+        message: 'Session data corrupted or incomplete'
+      })
+    }
+
    // 获取当前管理员信息
    const adminData = await redis.getSession('admin_credentials')
    if (!adminData) {
@@ -269,13 +283,25 @@ router.get('/auth/user', async (req, res) => {

    // 获取当前会话
    const sessionData = await redis.getSession(token)
-    if (!sessionData) {
+
+    // 🔒 安全修复：检查空对象
+    if (!sessionData || Object.keys(sessionData).length === 0) {
      return res.status(401).json({
        error: 'Invalid token',
        message: 'Session expired or invalid'
      })
    }

+    // 🔒 安全修复：验证会话完整性
+    if (!sessionData.username || !sessionData.loginTime) {
+      logger.security(`🔒 Invalid session structure in /auth/user from ${req.ip || 'unknown'}`)
+      await redis.deleteSession(token)
+      return res.status(401).json({
+        error: 'Invalid session',
+        message: 'Session data corrupted or incomplete'
+      })
+    }
+
    // 获取管理员信息
    const adminData = await redis.getSession('admin_credentials')
    if (!adminData) {
@@ -316,13 +342,24 @@ router.post('/auth/refresh', async (req, res) => {

    const sessionData = await redis.getSession(token)

-    if (!sessionData) {
+    // 🔒 安全修复：检查空对象（hgetall 对不存在的 key 返回 {}）
+    if (!sessionData || Object.keys(sessionData).length === 0) {
      return res.status(401).json({
        error: 'Invalid token',
        message: 'Session expired or invalid'
      })
    }

+    // 🔒 安全修复：验证会话完整性（必须有 username 和 loginTime）
+    if (!sessionData.username || !sessionData.loginTime) {
+      logger.security(`🔒 Invalid session structure detected from ${req.ip || 'unknown'}`)
+      await redis.deleteSession(token) // 清理无效/伪造的会话
+      return res.status(401).json({
+        error: 'Invalid session',
+        message: 'Session data corrupted or incomplete'
+      })
+    }
+
    // 更新最后活动时间
    sessionData.lastActivity = new Date().toISOString()
    await redis.setSession(token, sessionData, config.security.adminSessionTimeout)
Author	SHA1	Message	Date
github-actions[bot]	39ba345a43	chore: sync VERSION file with release v1.1.252 [skip ci]	2026-01-07 08:22:01 +00:00
shaw	2693fd77b7	fix: 移除context_management字段，避免报错	2026-01-07 16:21:41 +08:00
github-actions[bot]	0a59a0f9d4	chore: sync VERSION file with release v1.1.251 [skip ci]	2026-01-01 05:57:53 +00:00
Chapoly1305	c4448db6ab	fix: 防止客户端断开连接时服务崩溃当客户端在流式响应过程中断开连接时，catch 块尝试发送 JSON 错误响应会触发 ERR_HTTP_HEADERS_SENT 错误，导致 unhandledRejection 使服务崩溃。修复文件： - src/routes/openaiClaudeRoutes.js - src/routes/openaiGeminiRoutes.js 修复内容： - 添加 res.headersSent 检查，避免在响应已发送后再次尝试发送 - 客户端断开连接使用 INFO 级别日志（不是 ERROR） - 客户端断开使用 499 状态码 (Client Closed Request) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2025-12-30 01:18:06 -05:00
github-actions[bot]	a345812cd7	chore: sync VERSION file with release v1.1.250 [skip ci]	2025-12-29 05:46:39 +00:00
shaw	a0cbafd759	Merge branch 'fix-authenticateUserOrAdmin-bypass'	2025-12-29 13:45:44 +08:00
Wesley Liddick	3c64038fa7	Create SECURITY.md for security policy [skip ci] Add a security policy document outlining supported versions and vulnerability reporting.	2025-12-29 13:37:15 +08:00
Junming Chen	45b81bd478	fix: 修复 authenticateUserOrAdmin 认证绕过漏洞 - 添加 username 和 loginTime 字段验证（与 authenticateAdmin 保持一致） - 无效/伪造会话自动删除并记录安全日志 - 删除未使用的 id 字段（死代码清理）漏洞详情： - 位置：src/middleware/auth.js:1569-1581 - 原因：只检查 Object.keys(session).length > 0，未验证必须字段 - 影响：攻击者可通过注入最小会话 {foo:'bar'} 绕过认证 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2025-12-28 23:56:05 -05:00
github-actions[bot]	fc57133230	chore: sync VERSION file with release v1.1.249 [skip ci]	2025-12-26 11:26:14 +00:00
shaw	1f06af4a56	chore: trigger release [force release]	2025-12-26 19:25:53 +08:00
shaw	6165fad090	docs: 添加安全漏洞警告	2025-12-26 19:22:08 +08:00
shaw	d53a399d41	revert: 回退到安全漏洞修复版本	2025-12-26 19:15:50 +08:00
shaw	982cca1020	fix: 修复鉴权检测的重大安全漏洞	2025-12-25 14:23:35 +08:00
@@ -1 +1 @@
 .1.240
 .1.252