fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs
Phase 3 security audit follow-up. Medium and low-severity hardenings plus a deferred-work plan for the cross-repo stream-token rollout. Stream server CORS: replace the wildcard Access-Control-Allow-Origin with an allowlist that echoes back only torrentclaw.com, app.torrentclaw.com, the local Next dev port (3030 — matches the web repo package.json) and any extras the operator adds via the new downloads.cors_extra_origins TOML key. A Vary: Origin header is now emitted whenever the request carries an Origin header so an intermediate cache cannot serve a stale ACAO to a different origin. URL scheme guard: openBrowser and OpenPlayer refuse any URL that is not http(s). Combined with passing the URL after "--" wherever the launched helper supports it (open, mpv, vlc, cvlc), this stops a leading "-" from being parsed as a switch by the spawned process. State file permissions: WriteState now writes 0o600 so the agent ID, PID and counters cannot be enumerated by another local user on a shared host. Matches the existing config file mode. ZIP slip defense-in-depth: extractZip extracts the safety check into safeZipPath, which canonicalises the entry name (normalising backslashes to "/"), rejects "..", "../" prefix and "/../" interior components, and verifies the final destination stays inside destDir before opening any file. Mirror fallback: documented the design for multi-provider mirrors.json hosting in the comment block on DefaultStaticFallbackURLs and added a follow-up note about signing it with the same ed25519 release key. The list is kept at one provider until the second host is provisioned and added to torrentclaw-web's STATIC_FALLBACKS. Deferred work: a new plan document Docs/plans/security-stream-token.md covers the per-task stream token (Phase 2.2 of the original audit) which requires coordinated web + CLI work and ships separately.
This commit is contained in:
Deivid Soto
parent
433e375def
commit
060a3e48db
13 changed files with 462 additions and 48 deletions
|
|
@ -4,14 +4,23 @@ import (
|
|||
"fmt"
|
||||
"os/exec"
|
||||
"runtime"
|
||||
"strings"
|
||||
)
|
||||
|
||||
// OpenPlayer attempts to open a media player with the given stream URL.
|
||||
// Returns the player name and the running command.
|
||||
// If override is set, it uses that command directly.
|
||||
//
|
||||
// The URL is required to be http(s) so a hostile-looking value (e.g. starting
|
||||
// with `--`) is not interpreted as a switch by mpv/vlc/xdg-open/open. The
|
||||
// `--` separator is also appended before the URL where the helper supports
|
||||
// it.
|
||||
func OpenPlayer(url, override string) (string, *exec.Cmd, error) {
|
||||
if !isSafePlayerURL(url) {
|
||||
return "", nil, fmt.Errorf("refusing to open non-http(s) URL")
|
||||
}
|
||||
if override != "" {
|
||||
cmd := exec.Command(override, url)
|
||||
cmd := exec.Command(override, "--", url)
|
||||
if err := cmd.Start(); err != nil {
|
||||
return override, nil, fmt.Errorf("start %s: %w", override, err)
|
||||
}
|
||||
|
|
@ -20,7 +29,7 @@ func OpenPlayer(url, override string) (string, *exec.Cmd, error) {
|
|||
|
||||
// Try mpv first (best streaming support)
|
||||
if path, err := exec.LookPath("mpv"); err == nil {
|
||||
cmd := exec.Command(path, "--no-terminal", url)
|
||||
cmd := exec.Command(path, "--no-terminal", "--", url)
|
||||
if err := cmd.Start(); err == nil {
|
||||
return "mpv", cmd, nil
|
||||
}
|
||||
|
|
@ -28,7 +37,7 @@ func OpenPlayer(url, override string) (string, *exec.Cmd, error) {
|
|||
|
||||
// Try VLC
|
||||
if path, err := exec.LookPath("vlc"); err == nil {
|
||||
cmd := exec.Command(path, url)
|
||||
cmd := exec.Command(path, "--", url)
|
||||
if err := cmd.Start(); err == nil {
|
||||
return "vlc", cmd, nil
|
||||
}
|
||||
|
|
@ -36,7 +45,7 @@ func OpenPlayer(url, override string) (string, *exec.Cmd, error) {
|
|||
|
||||
// Try cvlc (VLC headless)
|
||||
if path, err := exec.LookPath("cvlc"); err == nil {
|
||||
cmd := exec.Command(path, url)
|
||||
cmd := exec.Command(path, "--", url)
|
||||
if err := cmd.Start(); err == nil {
|
||||
return "vlc (headless)", cmd, nil
|
||||
}
|
||||
|
|
@ -51,6 +60,9 @@ func OpenPlayer(url, override string) (string, *exec.Cmd, error) {
|
|||
}
|
||||
|
||||
func openBrowser(url string) (string, *exec.Cmd, error) {
|
||||
if !isSafePlayerURL(url) {
|
||||
return "", nil, fmt.Errorf("refusing to open non-http(s) URL")
|
||||
}
|
||||
switch runtime.GOOS {
|
||||
case "linux":
|
||||
if path, err := exec.LookPath("xdg-open"); err == nil {
|
||||
|
|
@ -60,7 +72,7 @@ func openBrowser(url string) (string, *exec.Cmd, error) {
|
|||
}
|
||||
}
|
||||
case "darwin":
|
||||
cmd := exec.Command("/usr/bin/open", url)
|
||||
cmd := exec.Command("/usr/bin/open", "--", url)
|
||||
if err := cmd.Start(); err == nil {
|
||||
return "browser", cmd, nil
|
||||
}
|
||||
|
|
@ -72,3 +84,9 @@ func openBrowser(url string) (string, *exec.Cmd, error) {
|
|||
}
|
||||
return "", nil, fmt.Errorf("no browser opener found")
|
||||
}
|
||||
|
||||
// isSafePlayerURL guards the helpers above against URLs that could be
|
||||
// interpreted as command-line switches by the launched player.
|
||||
func isSafePlayerURL(url string) bool {
|
||||
return strings.HasPrefix(url, "http://") || strings.HasPrefix(url, "https://")
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue