fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs
Phase 3 security audit follow-up. Medium and low-severity hardenings plus a deferred-work plan for the cross-repo stream-token rollout. Stream server CORS: replace the wildcard Access-Control-Allow-Origin with an allowlist that echoes back only torrentclaw.com, app.torrentclaw.com, the local Next dev port (3030 — matches the web repo package.json) and any extras the operator adds via the new downloads.cors_extra_origins TOML key. A Vary: Origin header is now emitted whenever the request carries an Origin header so an intermediate cache cannot serve a stale ACAO to a different origin. URL scheme guard: openBrowser and OpenPlayer refuse any URL that is not http(s). Combined with passing the URL after "--" wherever the launched helper supports it (open, mpv, vlc, cvlc), this stops a leading "-" from being parsed as a switch by the spawned process. State file permissions: WriteState now writes 0o600 so the agent ID, PID and counters cannot be enumerated by another local user on a shared host. Matches the existing config file mode. ZIP slip defense-in-depth: extractZip extracts the safety check into safeZipPath, which canonicalises the entry name (normalising backslashes to "/"), rejects "..", "../" prefix and "/../" interior components, and verifies the final destination stays inside destDir before opening any file. Mirror fallback: documented the design for multi-provider mirrors.json hosting in the comment block on DefaultStaticFallbackURLs and added a follow-up note about signing it with the same ed25519 release key. The list is kept at one provider until the second host is provisioned and added to torrentclaw-web's STATIC_FALLBACKS. Deferred work: a new plan document Docs/plans/security-stream-token.md covers the per-task stream token (Phase 2.2 of the original audit) which requires coordinated web + CLI work and ships separately.
This commit is contained in:
Deivid Soto
parent
433e375def
commit
060a3e48db
13 changed files with 462 additions and 48 deletions
|
|
@ -1085,3 +1085,40 @@ func TestDownloadSetsUserAgent(t *testing.T) {
|
|||
t.Errorf("User-Agent = %q, want 'unarr-updater'", gotUA)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSafeZipPath(t *testing.T) {
|
||||
dest := t.TempDir()
|
||||
absDest, err := filepath.Abs(dest)
|
||||
if err != nil {
|
||||
t.Fatalf("abs dest: %v", err)
|
||||
}
|
||||
|
||||
// Names that must extract successfully.
|
||||
good := []string{
|
||||
"unarr.exe",
|
||||
"bin/unarr.exe",
|
||||
"./unarr.exe",
|
||||
"folder/sub/unarr.exe",
|
||||
}
|
||||
for _, name := range good {
|
||||
if _, ok := safeZipPath(name, "unarr.exe", absDest); !ok {
|
||||
t.Errorf("safeZipPath(%q) = ok:false, want ok:true", name)
|
||||
}
|
||||
}
|
||||
|
||||
// Names that must be rejected for path-traversal reasons.
|
||||
bad := []string{
|
||||
"../unarr.exe",
|
||||
"..",
|
||||
"foo/../../unarr.exe",
|
||||
"/etc/passwd",
|
||||
"/abs/unarr.exe",
|
||||
`..\..\windows\system32\unarr.exe`, // backslash entries that escape
|
||||
"../../bin/unarr.exe",
|
||||
}
|
||||
for _, name := range bad {
|
||||
if _, ok := safeZipPath(name, "unarr.exe", absDest); ok {
|
||||
t.Errorf("safeZipPath(%q) = ok:true, want ok:false", name)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue