clash-verge-rev: 2.4.2 -> 2.4.3 (#461294) (4b50f830) · Commits · nix / nixpkgs

pkgs/by-name/cl/clash-verge-rev/0001-core-validate-bin_path-to-prevent-RCE-in-start_clash.patch

deleted100644 → 0

+0 −49

Original line number	Diff line number	Diff line
		From 3f86afc3a14474bff39573b1806046c888203096 Mon Sep 17 00:00:00 2001
		From: wxt <3264117476@qq.com>
		Date: Thu, 19 Jun 2025 15:37:16 +0800
		Subject: [PATCH 1/2] core: validate bin_path to prevent RCE in start_clash

		Add a security check in CoreManager::start_clash to ensure that the provided
		binary path (`bin_path`) must be located under the current executable's
		directory. This prevents potential remote code execution (RCE) attacks
		caused by arbitrary binary path injection.
		---
		src/service/core.rs \| 15 +++++++++++++++
		1 file changed, 15 insertions(+)

		diff --git a/src/service/core.rs b/src/service/core.rs
		index 28e1d42..21efb26 100644
		--- a/src/service/core.rs
		+++ b/src/service/core.rs
		@@ -7,6 +7,7 @@ use once_cell::sync::Lazy;
		use std::{
		sync::{atomic::Ordering, Arc, Mutex},
		fs::File,
		+ env,
		};
		use log::{info, error};

		@@ -223,6 +224,20 @@ impl CoreManager {
		}

		pub fn start_clash(&self, body: StartBody) -> Result<(), String> {
		+ {
		+ let bin_path = std::path::Path::new(body.bin_path.as_str());
		+ let current_exe = std::env::current_exe()
		+ .map_err(\|e\| format!("Failed to get current exe path: {}", e))?;
		+ let current_dir = current_exe.parent()
		+ .ok_or("Failed to get current directory")?;
		+
		+ if !bin_path.starts_with(current_dir) {
		+ return Err(format!(
		+ "Invalid binary path for clash kernel. It must be under: {}",
		+ current_dir.display()
		+ ));
		+ }
		+ }
		// 设置配置并测试
		{
		info!("设置Clash运行时配置: {:?}", body);
		--
		2.49.0

pkgs/by-name/cl/clash-verge-rev/0002-core-prevent-overwriting-existing-file-by-validating.patch

deleted100644 → 0

+0 −33

Original line number	Diff line number	Diff line
		From f7b094a19a47ba515d734f65754d4e57b87239c1 Mon Sep 17 00:00:00 2001
		From: wxt <3264117476@qq.com>
		Date: Thu, 19 Jun 2025 15:45:44 +0800
		Subject: [PATCH 2/2] core: prevent overwriting existing file by validating its
		existence

		Add a check to verify whether the specified `log_file` already exists before proceeding.
		If the file exists, return an error to prevent accidental or malicious overwriting of files.
		This enhances the security of log file handling by mitigating arbitrary file overwrite risks.
		---
		src/service/core.rs \| 6 ++++++
		1 file changed, 6 insertions(+)

		diff --git a/src/service/core.rs b/src/service/core.rs
		index 21efb26..004d0f0 100644
		--- a/src/service/core.rs
		+++ b/src/service/core.rs
		@@ -123,6 +123,12 @@ impl CoreManager {
		let config_file = config.config_file.as_str();
		let log_file = config.log_file.as_str();
		let args = vec!["-d", config_dir, "-f", config_file];
		+ {
		+ let log_file_2 = std::path::Path::new(log_file);
		+ if log_file_2.exists() {
		+ return Err(anyhow!(format!("Log file already exists: {}", log_file_2.display())));
		+ }
		+ }

		info!("正在启动mihomo: {} -d {} -f {}", bin_path, config_dir, config_file);

		--
		2.49.0

pkgs/by-name/cl/clash-verge-rev/0003-IPC-move-path-to-run-clash-verge-rev-service.sock.patch

deleted100644 → 0

+0 −32

Original line number	Diff line number	Diff line
		From 75296a3059419b91f638ee45215e56781bfda256 Mon Sep 17 00:00:00 2001
		From: wxt <3264117476@qq.com>
		Date: Sat, 28 Jun 2025 14:30:23 +0800
		Subject: [PATCH] IPC: move path to /run/clash-verge-rev/service.sock

		---
		src/service/ipc.rs \| 4 ++--
		1 file changed, 2 insertions(+), 2 deletions(-)

		diff --git a/src/service/ipc.rs b/src/service/ipc.rs
		index df39787..f441cd2 100644
		--- a/src/service/ipc.rs
		+++ b/src/service/ipc.rs
		@@ -20,7 +20,7 @@ use std::ffi::OsStr;
		const IPC_SOCKET_NAME: &str = if cfg!(windows) {
		r"\\.\pipe\clash-verge-service"
		} else {
		- "/tmp/clash-verge-service.sock"
		+ "/run/clash-verge-rev/service.sock"
		};

		/// 消息时间有效期(秒)
		@@ -660,4 +660,4 @@ fn handle_unix_connection_sync(mut stream: std::os::unix::net::UnixStream) -> Re
		.context("写入响应内容失败")?;

		Ok(())
		-}
		\ No newline at end of file
		+}
		--
		2.49.0

pkgs/by-name/cl/clash-verge-rev/package.nix

+4 −16

Original line number	Diff line number	Diff line
		@@ -12,32 +12,20 @@
		}:
		let
		pname = "clash-verge-rev";
		version = "2.4.2";
		version = "2.4.3";

		src = fetchFromGitHub {
		owner = "clash-verge-rev";
		repo = "clash-verge-rev";
		tag = "v${version}";
		hash = "sha256-HBWvk6bX0GjU/yvUejYgTQM8/IP5dYVrf30wNzgWv0s=";
		hash = "sha256-GmoeOLKxdW1x6PHtslwNPVq8wDWA413NHA/VeDRb4mA=";
		};

		src-service = fetchFromGitHub {
		owner = "clash-verge-rev";
		repo = "clash-verge-service";
		rev = "396150683e01e79740563561ae2fe2db28fb8904"; # no meaningful tags in this repo. The only way is updating manully every time.
		hash = "sha256-D6U22+tJ6vxn8/BTj/PV+4SF5fvGv6KAWtu5+PNJ1SQ=";
		};

		service-cargo-hash = "sha256-54nmhQjtPLMPoRML/3rG1jipT1VC5EDgRXnKDYuLVmM=";
		pnpm-hash = "sha256-neRjVL29xxbQu/XxsQjdAka71oJww40LeDusjsgsY00=";
		vendor-hash = "sha256-XszXDajAdYKEUoyrHZDxxp8ICReMnSdEeKVx7JHiaU4=";
		pnpm-hash = "sha256-qDwXPTfh1yOlugZe1UPUMKRyZOSagG4lX2eiFACgHRw=";
		vendor-hash = "sha256-z5xVbqh+CiaTDtAx2VPQ4UjliYnV44tdp3pS8vzb1K4=";

		service = callPackage ./service.nix {
		inherit
		version
		src-service
		service-cargo-hash
		pname
		meta
		;
		};

pkgs/by-name/cl/clash-verge-rev/service.nix

+34 −34

Original line number	Diff line number	Diff line
		{
		version,
		rustPlatform,
		src-service,
		pkg-config,
		openssl,
		pname,
		service-cargo-hash,
		fetchFromGitHub,
		meta,
		procps,
		}:
		rustPlatform.buildRustPackage {
		pname = "${pname}-service";
		inherit version meta;

		src = src-service;
		sourceRoot = "${src-service.name}";
		rustPlatform.buildRustPackage (finalAttrs: {
		pname = "clash-verge-service-ipc";
		version = "2.0.21";

		patches = [
		# I want to keep these patches because it's not harmful.
		src = fetchFromGitHub {
		owner = "clash-verge-rev";
		repo = "clash-verge-service-ipc";
		rev = "v${finalAttrs.version}";
		hash = "sha256-9c9fM1l31NbY//Ri50Ql60BWWgISjMWj72ABixRaXvM=";
		};

		# Patch: Restrict bin_path in spawn_process to be under the clash-verge-service directory.
		# This prevents arbitrary code execution by ensuring only trusted binaries from the Nix store are allowed to run.
		./0001-core-validate-bin_path-to-prevent-RCE-in-start_clash.patch
		postPatch = ''
		# set socket path for service and test respectively
		substituteInPlace src/lib.rs \
		--replace-fail "/tmp/verge/clash-verge-service.sock" "/run/clash-verge-rev/service.sock" \
		--replace-fail "/tmp/verge/clash-verge-service-test.sock" "$sourceRoot/clash-verge-service-test.sock"
		substituteInPlace tests/test_start_permissions.rs \
		--replace-fail "owner_perm \| group_perm \| other_perm" "0o0755"
		'';

		# Patch: Add validation to prevent overwriting existing files.
		# This mitigates arbitrary file overwrite risks by ensuring a file does not already exist before writing.
		./0002-core-prevent-overwriting-existing-file-by-validating.patch
		cargoHash = "sha256-UbNN3uFu5anQV+3KMFPNnGrCDQTGb4uC9K83YghfQgY=";

		# Patch: move IPC directory from /tmp to /run/clash-verge-rev/service.lock
		# This allows we enable ProtectSystem="strict" and PrivateTmp
		./0003-IPC-move-path-to-run-clash-verge-rev-service.sock.patch
		buildFeatures = [
		"standalone"
		];

		nativeBuildInputs = [
		pkg-config
		nativeCheckInputs = [
		procps
		];

		buildInputs = [
		openssl
		# build mock_binary for tests
		preCheck = ''
		cargo build --features=test
		'';
		checkFeatures = [
		"standalone"
		"test"
		"client"
		];

		env = {
		OPENSSL_NO_VENDOR = 1;
		};

		cargoHash = service-cargo-hash;
		}
		inherit meta;
		})