torrentclaw/unarr
1
0
Fork 0
Code Issues Pull requests Projects Releases 4 Packages Wiki Activity Actions
unarr/internal/upgrade/extract.go
Deivid Soto 060a3e48db fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs 
Phase 3 security audit follow-up. Medium and low-severity hardenings
plus a deferred-work plan for the cross-repo stream-token rollout.

Stream server CORS: replace the wildcard Access-Control-Allow-Origin
with an allowlist that echoes back only torrentclaw.com,
app.torrentclaw.com, the local Next dev port (3030 — matches the web
repo package.json) and any extras the operator adds via the new
downloads.cors_extra_origins TOML key. A Vary: Origin header is now
emitted whenever the request carries an Origin header so an
intermediate cache cannot serve a stale ACAO to a different origin.

URL scheme guard: openBrowser and OpenPlayer refuse any URL that is
not http(s). Combined with passing the URL after "--" wherever the
launched helper supports it (open, mpv, vlc, cvlc), this stops a
leading "-" from being parsed as a switch by the spawned process.

State file permissions: WriteState now writes 0o600 so the agent ID,
PID and counters cannot be enumerated by another local user on a
shared host. Matches the existing config file mode.

ZIP slip defense-in-depth: extractZip extracts the safety check into
safeZipPath, which canonicalises the entry name (normalising
backslashes to "/"), rejects "..", "../" prefix and "/../" interior
components, and verifies the final destination stays inside destDir
before opening any file.

Mirror fallback: documented the design for multi-provider
mirrors.json hosting in the comment block on DefaultStaticFallbackURLs
and added a follow-up note about signing it with the same ed25519
release key. The list is kept at one provider until the second host
is provisioned and added to torrentclaw-web's STATIC_FALLBACKS.

Deferred work: a new plan document Docs/plans/security-stream-token.md
covers the per-task stream token (Phase 2.2 of the original audit)
which requires coordinated web + CLI work and ships separately.
2026-05-15 18:48:59 +02:00

163 lines
4 KiB
Go
Raw Blame History

package upgrade
import (
"archive/tar"
"archive/zip"
"compress/gzip"
"fmt"
"io"
"os"
"path"
"path/filepath"
"runtime"
"strings"
)
// extractBinary extracts the unarr binary from the release archive into destDir.
// Returns the path to the extracted binary.
func extractBinary(archivePath, destDir string) (string, error) {
if runtime.GOOS == "windows" {
return extractZip(archivePath, destDir)
}
return extractTarGz(archivePath, destDir)
}
func extractTarGz(archivePath, destDir string) (string, error) {
f, err := os.Open(archivePath)
if err != nil {
return "", err
}
defer f.Close()
gz, err := gzip.NewReader(f)
if err != nil {
return "", fmt.Errorf("gzip: %w", err)
}
defer gz.Close()
tr := tar.NewReader(gz)
target := binaryName
if runtime.GOOS == "windows" {
target += ".exe"
}
for {
hdr, err := tr.Next()
if err == io.EOF {
break
}
if err != nil {
return "", fmt.Errorf("tar: %w", err)
}
name := filepath.Base(hdr.Name)
if name != target {
continue
}
// Validate: must be a regular file
if hdr.Typeflag != tar.TypeReg {
continue
}
dst := filepath.Join(destDir, target)
out, err := os.OpenFile(dst, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o755)
if err != nil {
return "", err
}
if _, err := io.Copy(out, io.LimitReader(tr, 200<<20)); err != nil { // 200MB limit
out.Close()
return "", fmt.Errorf("extract: %w", err)
}
out.Close()
return dst, nil
}
return "", fmt.Errorf("binary %q not found in archive", target)
}
func extractZip(archivePath, destDir string) (string, error) {
r, err := zip.OpenReader(archivePath)
if err != nil {
return "", fmt.Errorf("zip: %w", err)
}
defer r.Close()
target := binaryName + ".exe"
// Resolve destDir to its absolute form once so the ZIP-slip check below
// can compare canonical paths instead of fragile substring matches.
absDest, err := filepath.Abs(destDir)
if err != nil {
return "", fmt.Errorf("resolve dest: %w", err)
}
for _, f := range r.File {
if f.FileInfo().IsDir() {
continue
}
if filepath.Base(f.Name) != target {
continue
}
absDst, ok := safeZipPath(f.Name, target, absDest)
if !ok {
continue
}
rc, err := f.Open()
if err != nil {
return "", err
}
out, err := os.OpenFile(absDst, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o755)
if err != nil {
rc.Close()
return "", err
}
if _, err := io.Copy(out, io.LimitReader(rc, 200<<20)); err != nil { // 200MB limit
out.Close()
rc.Close()
return "", fmt.Errorf("extract: %w", err)
}
out.Close()
rc.Close()
return absDst, nil
}
return "", fmt.Errorf("binary %q not found in archive", target)
}
// safeZipPath validates that a ZIP entry name is safe to extract under
// absDest, then returns the absolute destination path (always
// absDest/target, never the raw entry name — we still only extract files
// matched by Base name).
//
// Rejected: absolute paths, paths that resolve to "..", paths containing
// a "../" or "..\\" component, and any entry whose final destination
// would land outside absDest. The check uses path.Clean on the entry's
// native separator (ZIP uses forward slashes by spec, but some authors
// emit backslashes — we treat both as separators here so a hostile entry
// on Linux can't bypass the substring scan).
func safeZipPath(entryName, target, absDest string) (string, bool) {
// Normalise both separators to "/" so the check works on Linux too,
// where filepath.Separator is "/" and a hostile "..\\foo" string is
// otherwise treated as a single filename component by filepath.Clean.
normalised := strings.ReplaceAll(entryName, `\`, "/")
cleaned := path.Clean(normalised)
if cleaned == ".." ||
strings.HasPrefix(cleaned, "../") ||
strings.Contains(cleaned, "/../") ||
path.IsAbs(cleaned) {
return "", false
}
absDst, err := filepath.Abs(filepath.Join(absDest, target))
if err != nil {
return "", false
}
if !strings.HasPrefix(absDst+string(filepath.Separator), absDest+string(filepath.Separator)) {
return "", false
}
return absDst, true
}
Reference in a new issue View git blame Copy permalink