torrentclaw/unarr
1
0
Fork 0
Code Issues Pull requests Projects Releases 4 Packages Wiki Activity Actions
unarr/internal/agent/state.go
Deivid Soto 060a3e48db fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs 
Phase 3 security audit follow-up. Medium and low-severity hardenings
plus a deferred-work plan for the cross-repo stream-token rollout.

Stream server CORS: replace the wildcard Access-Control-Allow-Origin
with an allowlist that echoes back only torrentclaw.com,
app.torrentclaw.com, the local Next dev port (3030 — matches the web
repo package.json) and any extras the operator adds via the new
downloads.cors_extra_origins TOML key. A Vary: Origin header is now
emitted whenever the request carries an Origin header so an
intermediate cache cannot serve a stale ACAO to a different origin.

URL scheme guard: openBrowser and OpenPlayer refuse any URL that is
not http(s). Combined with passing the URL after "--" wherever the
launched helper supports it (open, mpv, vlc, cvlc), this stops a
leading "-" from being parsed as a switch by the spawned process.

State file permissions: WriteState now writes 0o600 so the agent ID,
PID and counters cannot be enumerated by another local user on a
shared host. Matches the existing config file mode.

ZIP slip defense-in-depth: extractZip extracts the safety check into
safeZipPath, which canonicalises the entry name (normalising
backslashes to "/"), rejects "..", "../" prefix and "/../" interior
components, and verifies the final destination stays inside destDir
before opening any file.

Mirror fallback: documented the design for multi-provider
mirrors.json hosting in the comment block on DefaultStaticFallbackURLs
and added a follow-up note about signing it with the same ed25519
release key. The list is kept at one provider until the second host
is provisioned and added to torrentclaw-web's STATIC_FALLBACKS.

Deferred work: a new plan document Docs/plans/security-stream-token.md
covers the per-task stream token (Phase 2.2 of the original audit)
which requires coordinated web + CLI work and ships separately.
2026-05-15 18:48:59 +02:00

76 lines
2.2 KiB
Go
Raw Blame History

package agent
import (
"encoding/json"
"os"
"path/filepath"
"time"
"github.com/torrentclaw/unarr/internal/config"
)
// DaemonState is written to disk every heartbeat for external tools to read.
type DaemonState struct {
AgentID string `json:"agentId"`
Status string `json:"status"` // running | upgrading | shutting_down
Version string `json:"version"`
PID int `json:"pid"`
StartedAt time.Time `json:"startedAt"`
LastHeartbeat time.Time `json:"lastHeartbeat"`
ActiveTasks int `json:"activeTasks"`
CompletedCount int `json:"completedCount"`
FailedCount int `json:"failedCount"`
TotalDownloaded int64 `json:"totalDownloaded"`
MethodStats map[string]int `json:"methodStats,omitempty"`
}
// stateFilePathFn is overridable for testing.
var stateFilePathFn = func() string {
return filepath.Join(config.DataDir(), "daemon.state.json")
}
// StateFilePath returns the path to the daemon state file.
func StateFilePath() string {
return stateFilePathFn()
}
// WriteState writes the daemon state to disk (best-effort, never errors).
func WriteState(state *DaemonState) {
path := StateFilePath()
dir := filepath.Dir(path)
os.MkdirAll(dir, 0o755)
data, err := json.MarshalIndent(state, "", " ")
if err != nil {
return
}
// Write to temp file then rename for atomicity. 0o600 keeps the file
// readable only by the owning user — the state contains agentID, PID
// and counters which are useful to a co-tenant on a shared host for
// fingerprinting the daemon, and we already use 0o600 for the config
// file. No need for cross-user readability here.
tmp := path + ".tmp"
if err := os.WriteFile(tmp, data, 0o600); err != nil {
return
}
os.Rename(tmp, path)
}
// ReadState reads the daemon state from disk. Returns nil if not found.
func ReadState() *DaemonState {
data, err := os.ReadFile(StateFilePath())
if err != nil {
return nil
}
var state DaemonState
if json.Unmarshal(data, &state) != nil {
return nil
}
return &state
}
// RemoveState deletes the state file (called on clean shutdown).
func RemoveState() {
os.Remove(StateFilePath())
}
Reference in a new issue View git blame Copy permalink