vrr/z2k
2
0
Fork 0
mirror of https://github.com/necronicle/z2k.git synced 2026-04-28 03:20:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
573 commits 3 branches 1 tag 399 MiB
Commit graph

5 commits

Author SHA1 Message Date
Necronicle
7690c56a15 fix: correct mips64el arch mapping, verify all MIPS paths 
Verified via Keenetic docs + Entware repos:
- Keenetic uses ONLY mipsel-sf and mips-sf (32-bit), never mips64
- mipsel-sf → *mipsel* → linux-mipsel → builds/...-mipsel ✓
- mips-sf → *mips* → linux-mips → builds/...-mips ✓
- aarch64-3.10 → *aarch64* → linux-arm64 → builds/...-arm64 ✓

Fixed mips64el mapping (was incorrectly → linux-mipsel 32-bit).
Now correctly → linux-mips64el. No Keenetic impact (no mips64
Keenetic exists), but correct for future OpenWrt devices.

Sources: Keenetic docs, Entware GitHub, opkg repos

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-11 14:41:21 +03:00
Necronicle
e9418f41c7 fix(tests): safer output printing and grep -c portability 
- run_all.sh: use heredoc for test output (handles dashes safely)
- test_strategies.sh: replace grep -c with grep|wc -l for busybox compat

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-11 01:17:22 +03:00
Necronicle
9c5ffa77ca feat: IPv6 support, web panel, ECH detection, integration tests 
IPv6 (mtproxy-client):
- listener.go: dual-stack SO_ORIGINAL_DST — tries IPv4 first, falls
  back to IPv6 via SOL_IPV6/IP6T_SO_ORIGINAL_DST (sockaddr_in6 parsing)
- dcmap.go: add Telegram IPv6 CIDR ranges (2001:b28:f23d::/48 → DC2,
  2001:b28:f23f::/48 → DC5, 2001:67c:4e8::/48 → DC2)
- main.go: resolveIP() prefers IPv4, accepts IPv6; connectWS uses "tcp"
  dual-stack dial as fallback
- transparent.go: resolveIPCached replaces resolveIPv4Cached, supports
  both address families
- Tests: TestLookupDC_IPv6 covers all new ranges

Web monitoring panel:
- z2k-webpanel.sh: CGI script for busybox httpd with dark theme,
  service status, strategies, autocircular state, logs, system info,
  action buttons (restart/stop/start/clearstate), auto-refresh 30s
- z2k-webpanel-install.sh: installer for busybox httpd setup
- Integrated into install.sh and z2k.sh bootstrap downloads

ECH (Encrypted Client Hello) support:
- z2k_detect_ech(): detects TLS extension type 0xfe0d in ClientHello
- z2k_ech_passthrough(): desync action that skips processing when ECH
  is present (DPI cannot see SNI, desync unnecessary)
- z2k_strategy_profile(): latency/success tracking per strategy

Lua hardening:
- TOCTOU in file permission checks documented — actual safety via
  lock+rename pattern (already correct, added explanation comment)

Integration test framework (86 tests total):
- test_config_official.sh: NFQWS2_OPT generation, Austerus mode,
  circular nld2 injection, failure detector injection
- test_strategies.sh: strategy parsing, empty/malformed input handling,
  category file creation, get_strategy retrieval
- test_validator.sh: config validation, port ranges, hostlist checks,
  missing config/variables detection
- run_all.sh: test runner with summary

Other:
- UPSTREAM_PROPOSALS.md: 6 improvement proposals for bol-van/zapret2
- Fix grep -c whitespace in generate_strategies_conf

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-11 01:17:22 +03:00
Necronicle
8f97e00da1 fix: deep review round 3 — source injection, Lua safety, tests 
Shell injection hardening:
- Replace ALL remaining `. "$config"` (source) with safe_config_read()
  in menu.sh, config.sh, config_official.sh, utils.sh, install.sh
  (7 source calls eliminated — prevents arbitrary code execution
  via compromised config files)

Subshell variable mutation:
- Fix backup_file(): pipe+while subshell lost $deleted counter,
  replaced with xargs (no subshell needed)
- Fix cleanup_backups(): same pattern, now uses xargs+wc

Lua hardening:
- z2k_num(): add integer bounds clamping (±2^31) to prevent
  overflow in bit operations on attacker-controlled input
- z2k_qvarint_decode_bytes(): add type(bytes)~="table" guard
  to prevent nil dereference crash on malformed QUIC packets

Strategy validation:
- generate_strategies_conf() now returns error if zero strategies
  parsed (detects corrupt/empty input instead of silent empty output)

Tests expanded (23 total, was 15):
- 5 new injection tests: $(cmd), `cmd`, pipes, semicolons, $VAR
- backup_file/restore_backup roundtrip test
- is_zapret2_installed negative test
- Fixed WORK_DIR collision with utils.sh

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-11 01:17:22 +03:00
Necronicle
9591d732c8 fix: remaining review items — tmpfiles, Lua safety, shell tests 
- Replace predictable temp file names with mktemp in healthcheck
  and update-lists scripts (prevents race conditions)
- Add whitelist for _G[fname] in z2k-autocircular.lua — only
  allowed hostkey function names can be loaded from globals
- Add log directory pre-check in z2k-update-lists.sh
- Add shell unit tests (tests/test_utils.sh): 15 tests covering
  safe_config_read injection safety and arch mapping correctness
- Add shell tests to CI pipeline
- Extend .gitignore with *.tmp, *.swp, *~ patterns

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-11 01:17:22 +03:00