fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs

Phase 3 security audit follow-up. Medium and low-severity hardenings plus a deferred-work plan for the cross-repo stream-token rollout. Stream server CORS: replace the wildcard Access-Control-Allow-Origin with an allowlist that echoes back only torrentclaw.com, app.torrentclaw.com, the local Next dev port (3030 — matches the web repo package.json) and any extras the operator adds via the new downloads.cors_extra_origins TOML key. A Vary: Origin header is now emitted whenever the request carries an Origin header so an intermediate cache cannot serve a stale ACAO to a different origin. URL scheme guard: openBrowser and OpenPlayer refuse any URL that is not http(s). Combined with passing the URL after "--" wherever the launched helper supports it (open, mpv, vlc, cvlc), this stops a leading "-" from being parsed as a switch by the spawned process. State file permissions: WriteState now writes 0o600 so the agent ID, PID and counters cannot be enumerated by another local user on a shared host. Matches the existing config file mode. ZIP slip defense-in-depth: extractZip extracts the safety check into safeZipPath, which canonicalises the entry name (normalising backslashes to "/"), rejects "..", "../" prefix and "/../" interior components, and verifies the final destination stays inside destDir before opening any file. Mirror fallback: documented the design for multi-provider mirrors.json hosting in the comment block on DefaultStaticFallbackURLs and added a follow-up note about signing it with the same ed25519 release key. The list is kept at one provider until the second host is provisioned and added to torrentclaw-web's STATIC_FALLBACKS. Deferred work: a new plan document Docs/plans/security-stream-token.md covers the per-task stream token (Phase 2.2 of the original audit) which requires coordinated web + CLI work and ships separately.
2026-05-15 18:48:59 +02:00 · 2026-05-15 18:48:59 +02:00 · 060a3e48db
commit 060a3e48db
parent 433e375def
13 changed files with 462 additions and 48 deletions
--- a/internal/engine/validate.go
+++ b/internal/engine/validate.go
@ -10,3 +10,39 @@ import "regexp"
 // anything containing slashes, dots, or path separators is rejected so a
 // compromised or buggy server cannot escape hlsTmpDirRoot via os.MkdirAll.
 var validSessionID = regexp.MustCompile(`^[a-zA-Z0-9_-]{1,128}$`)
+
+// defaultCORSAllowedOrigins is the baseline of browser origins that may
+// XHR-probe `/health` and friends on the local daemon. Production hosts are
+// hardcoded; localhost on the dev port used by torrentclaw-web is included
+// so dev builds work without extra configuration. Operators may add more
+// origins via the [downloads] cors_extra_origins TOML key.
+//
+// The dev port matches `next dev -p 3030` in torrentclaw-web/package.json.
+// 127.0.0.1 is listed in addition to localhost because some browsers treat
+// them as distinct origins for CORS.
+//
+// Note: media tags (<video src>, <audio src>) do not send the Origin
+// header so they are not gated by CORS at all; this allowlist only
+// affects fetch()/XHR.
+var defaultCORSAllowedOrigins = []string{
+	"https://torrentclaw.com",
+	"https://app.torrentclaw.com",
+	"http://localhost:3030",
+	"http://127.0.0.1:3030",
+}
+
+// buildCORSAllowlist merges the default origins with any extras supplied by
+// the operator. Returned map is intended to be installed once at Listen()
+// and treated as read-only afterwards.
+func buildCORSAllowlist(extra []string) map[string]struct{} {
+	out := make(map[string]struct{}, len(defaultCORSAllowedOrigins)+len(extra))
+	for _, o := range defaultCORSAllowedOrigins {
+		out[o] = struct{}{}
+	}
+	for _, o := range extra {
+		if o != "" {
+			out[o] = struct{}{}
+		}
+	}
+	return out
+}