Skip to content

fix(security): restrict subscription page access to /{uuid}/sub, fix multi-user rendering & inject vars into wrangler.toml in CI #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ukari wants to merge 5 commits into
base: master
Choose a base branch
from
Open

fix(security): restrict subscription page access to /{uuid}/sub, fix multi-user rendering & inject vars into wrangler.toml in CI #5

ukari wants to merge 5 commits into from

Conversation

@ukari
Copy link

@ukari ukari commented Dec 19, 2025

Description

This PR addresses a security vulnerability and a logical bug in the subscription page handling:

  1. Security Fix: Removed the unauthenticated global /sub endpoint. The subscription page now requires the UUID in the URL path (e.g., /${uuid}/sub) to prevent unauthorized access to sensitive configuration details (Information Disclosure).
  2. Logic Fix: Refactored src/pages/index.ts to render the specific configuration matching the UUID in the request URL. Previously, the UI hardcoded to always display the first UUID in the environment variable, ignoring other users.
  3. Refactor: Extracted HTML generation logic into subscriptionPageTextMaker for better readability.
  4. CI: inject GitHub vars into wrangler.toml for UUID/PROXY_IP.

Related Issue

Fixes security vulnerability where /sub exposed credentials without authentication.
Also fixes the issue where multi-UUID setups only displayed the first user's config.

Motivation and Context

Security Risk: The previous /sub endpoint allowed anyone knowing the domain to view the VLESS UUID and connection details, bypassing the proxy's authentication. By enforcing /${uuid}/sub, the UUID acts as a pre-shared key for access.

Bug: For users employing multiple UUIDs (e.g., UUID=id1,id2), accessing the subscription page previously would always show the config for id1, even if the intended user was id2. This PR ensures id2 sees their own config.

Align Document & Deploy Behavior: According to README.md and wrangler.toml it might should be able to sync repository variables for PROXY_IP/UUID to Cloudflare Worker Pages instance in PLAINTEXT for section Variables and Secrets when deploy in Method 3: GitHub Actions

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ukari