Giter Site home page Giter Site logo

moekr / sword Goto Github PK

View Code? Open in Web Editor NEW
7.0 2.0 2.0 1.47 MB

仿SmokePing的多点ping值监测工具

Home Page: https://ping.moekr.com

License: GNU General Public License v3.0

Makefile 0.27% Shell 1.97% Go 68.78% HTML 10.98% CSS 2.02% JavaScript 15.99%

sword's Introduction

Sword

仿SmokePing的多点ping值监测工具 https://ping.moekr.com

Jenkins

编译安装

  1. 确保有Go环境
  2. make,交叉编译则加上目标系统和架构的环境变量如GOARCH=amd64 GOOS=linux make
  3. 将output文件夹拷贝至目标机器
  4. (按需)修改script和service中的路径

启动参数

服务端:
sword -s -b 127.0.0.1:7901 -c /opt/sword/conf.json -d /opt/sword/data/ -t token

客户端:
sword -u http://localhost:7901 -i 1 -t token

其中:

  • -s:申明以服务端模式启动,默认为false即以客户端模式启动
  • -b:监听的地址和端口,默认0.0.0.0:7901,服务端专用
  • -c:配置文件位置,默认./conf.json,服务端专用,配置文件模板见conf.sample.json
  • -d:数据文件目录,默认./data/,服务端专用
  • -u:服务端通信地址,默认http://localhost:7901,客户端专用
  • -i:客户端编号,默认-1,客户端专用,该编号必须对应服务端配置文件中的一个observer id
  • -t:HTTP Token,用于客户端与服务端通信时的鉴权,默认为空即不鉴权,服务端与客户端该参数必须一致

此外:

  • -v:以debug模式启动,会输出较多日志

其他

  1. Debian/Ubuntu可以将sword.server.service/sword.client.service注册为系统服务
  2. 修改配置文件后推荐使用script/reconf.sh重启(Debian/Ubuntu)
  3. 每一小时将生成一个备份文件,可以设定定时任务调用script/rmbak.sh清理备份文件

协议

GPLv3

sword's People

Contributors

moekr avatar

Stargazers

fshlsjglsgsgs avatar yanli avatar avatar avatar avatar Louis Zhang avatar ifenr avatar

Watchers

James Cloos avatar fshlsjglsgsgs avatar

Forkers

morphyhu tianyanli

sword's Issues

Potential ReDoS Vulnerability or Inefficient Regular Expression in Project: Need for Assessment and Mitigation

Hello,

I am writing to report a potential Regular Expression Denial of Service (ReDoS) vulnerability or Inefficient Regular Expression in the project. This issue arises when specially crafted input strings are used in the context of distributed, high-volume requests, potentially leading to a denial-of-service attack.

Location of Issue:

The vulnerability is related to a regular expression used in the following validation file, which may result in significantly prolonged execution times under certain conditions.

sword/vendor/github.com/Unknwon/com/html.go

Line 47 in 843624c

re := regexp.MustCompile(`(?s)<(?:style|script)[^<>]*>.*?</(?:style|script)>|</?[a-z][a-z0-9]*[^<>]*>|<!--.*?-->`)

PoC Files and Comparisons:

// Proof of concept
filename := os.Args[1]
content, err := ioutil.ReadFile(filename)
re := regexp.MustCompile("(?s)<(?:style|script)[^<>]*>.*?</(?:style|script)>|</?[a-z][a-z0-9]*[^<>]*>|<!--.*?-->")
re.ReplaceAllString(string(content), "")

PoC Files Here:
poc.zip

To evaluate the performance of this inefficient regular expression matching with varying input contents, the following commands can be executed within the PoC folder:

time ./poc AttackString10MB.txt
# real    72m38.173s
# user    72m30.083s
# sys     0m5.653s
time ./poc RandomString10MB.txt
# real    0m0.029s
# user    0m0.016s
# sys     0m0.026s
time ./poc AttackString1MB.txt
# real    0m54.028s
# user    0m53.917s
# sys     0m0.088s
time ./poc RandomString1MB.txt
# real    0m0.011s
# user    0m0.007s
# sys     0m0.011s

The significant difference in processing time between random strings and malicious strings highlights the potential effectiveness of this regex for malicious exploitation. And as string length grows, the nonlinear increase in processing time reflects potentially greater risks.

Proposed Solution:

A possible mitigation strategy could include limiting the input length to prevent excessive processing times. If the corresponding function or feature is not in use, it is recommended to clean up risky third-party packages or code content to prevent malicious exploitation through methods such as code injection.

Additional Considerations:

Historically, it was believed that using regex engines with non-backtracking implementations (such as those in Rust or Go) would not lead to ReDoS vulnerabilities. However, recent studies have shown that this is not always the case. I recommend an assessment of how this issue might impact this project.

Thank you for your attention to this matter. Your evaluation and response to this potential security concern would be greatly appreciated.

Best regards,

如何运行呢?

想尝试搭建使用,却不知道该如何使用,总是报错,烦请指导。

Running sword

Hello,

I am in the search for an alternative to SmokePing and I would like to test out you project.

I have build the project but have not managed to start it, do you know what could be causing this?
It would be great to have a docker images to facilitate the testings :-)

image

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.