fix(security): harden HLS session IDs, /health disclosure, archive password handling
Phase 1 security audit follow-up: - Reject HLS session IDs that aren't safe filesystem components (regex allowlist) to defend against path traversal via a buggy or compromised server. Applied at StartHLSSession and at the /hls URL handler; invalid IDs share the 404 of unknown sessions so the accepted format isn't enumerable. - /health no longer leaks the active filename, taskID prefix or client IP to non-loopback callers. Uses net.IP.IsLoopback so IPv4-mapped IPv6 (::ffff:127.0.0.1) is recognised and the empty-string parse failure stops bypassing the boundary. - unrar/7z passwords now travel through stdin instead of -p<password> in argv, removing /proc/<pid>/cmdline disclosure. Control characters in the password are rejected up front so a hostile NZB cannot feed extra prompt answers. Both invocations are bounded by a 30-minute context to stop indefinite hangs if the tool ever decides to prompt.
This commit is contained in:
Deivid Soto
parent
a73e1a7756
commit
c148cb8ce7
6 changed files with 213 additions and 16 deletions
|
|
@ -303,6 +303,12 @@ func (ss *StreamServer) hlsHandler(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
sessionID := parts[0]
|
||||
// Reject malformed IDs with the same 404 we return for unknown sessions —
|
||||
// no oracle for the accepted format.
|
||||
if !validSessionID.MatchString(sessionID) {
|
||||
http.Error(w, "hls session not found", http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
session := ss.hls.Get(sessionID)
|
||||
if session == nil {
|
||||
http.Error(w, "hls session not found", http.StatusNotFound)
|
||||
|
|
@ -392,6 +398,17 @@ func (ss *StreamServer) healthHandler(w http.ResponseWriter, r *http.Request) {
|
|||
ss.mu.RUnlock()
|
||||
|
||||
clientIP, _, _ := net.SplitHostPort(r.RemoteAddr)
|
||||
// Only expose filename/taskID/client to loopback callers (local diagnostics).
|
||||
// Remote callers (LAN, Tailscale, UPnP public) get a minimal probe response
|
||||
// so that scanners and unauthenticated peers cannot fingerprint the active
|
||||
// download. The web stream-probe only checks HTTP 200 + Content-Type.
|
||||
//
|
||||
// Use net.IP.IsLoopback so we also accept ::ffff:127.0.0.1 (Linux dual-stack
|
||||
// IPv4-mapped form) and reject the empty-string fallthrough when
|
||||
// SplitHostPort fails on a malformed RemoteAddr — both would otherwise
|
||||
// silently bypass the disclosure boundary.
|
||||
parsedIP := net.ParseIP(clientIP)
|
||||
isLocal := parsedIP != nil && parsedIP.IsLoopback()
|
||||
|
||||
type healthResponse struct {
|
||||
Status string `json:"status"`
|
||||
|
|
@ -399,19 +416,23 @@ func (ss *StreamServer) healthHandler(w http.ResponseWriter, r *http.Request) {
|
|||
File string `json:"file,omitempty"`
|
||||
Task string `json:"task,omitempty"`
|
||||
Port int `json:"port"`
|
||||
Client string `json:"client"`
|
||||
Client string `json:"client,omitempty"`
|
||||
}
|
||||
resp := healthResponse{
|
||||
Status: "ok",
|
||||
Port: ss.port,
|
||||
Client: clientIP,
|
||||
}
|
||||
if provider != nil {
|
||||
resp.Streaming = true
|
||||
resp.File = provider.FileName()
|
||||
resp.Task = taskID
|
||||
if len(resp.Task) > 8 {
|
||||
resp.Task = resp.Task[:8]
|
||||
}
|
||||
if isLocal {
|
||||
resp.Client = clientIP
|
||||
if provider != nil {
|
||||
resp.File = provider.FileName()
|
||||
resp.Task = taskID
|
||||
if len(resp.Task) > 8 {
|
||||
resp.Task = resp.Task[:8]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue