fix(security): harden HLS session IDs, /health disclosure, archive password handling

Phase 1 security audit follow-up: - Reject HLS session IDs that aren't safe filesystem components (regex allowlist) to defend against path traversal via a buggy or compromised server. Applied at StartHLSSession and at the /hls URL handler; invalid IDs share the 404 of unknown sessions so the accepted format isn't enumerable. - /health no longer leaks the active filename, taskID prefix or client IP to non-loopback callers. Uses net.IP.IsLoopback so IPv4-mapped IPv6 (::ffff:127.0.0.1) is recognised and the empty-string parse failure stops bypassing the boundary. - unrar/7z passwords now travel through stdin instead of -p<password> in argv, removing /proc/<pid>/cmdline disclosure. Control characters in the password are rejected up front so a hostile NZB cannot feed extra prompt answers. Both invocations are bounded by a 30-minute context to stop indefinite hangs if the tool ever decides to prompt.
2026-05-15 17:10:42 +02:00 · 2026-05-15 17:10:42 +02:00 · c148cb8ce7
commit c148cb8ce7
parent a73e1a7756
6 changed files with 213 additions and 16 deletions
--- a/internal/engine/validate.go
+++ b/internal/engine/validate.go
@ -0,0 +1,12 @@
+// Package engine — validate.go centralises input validators used by the
+// stream/HLS HTTP handlers and the daemon glue. Keep new validators in this
+// file so a future reviewer can audit the trust boundary in one place.
+package engine
+
+import "regexp"
+
+// validSessionID restricts session IDs to characters safe for use as a single
+// filesystem path component. Server-issued UUIDs and hex strings match this;
+// anything containing slashes, dots, or path separators is rejected so a
+// compromised or buggy server cannot escape hlsTmpDirRoot via os.MkdirAll.
+var validSessionID = regexp.MustCompile(`^[a-zA-Z0-9_-]{1,128}$`)