torrentclaw/unarr
1
0
Fork 0
Code Issues Pull requests Projects Releases 4 Packages Wiki Activity Actions
unarr/internal/engine
History
Deivid Soto c148cb8ce7 fix(security): harden HLS session IDs, /health disclosure, archive password handling 
Phase 1 security audit follow-up:

- Reject HLS session IDs that aren't safe filesystem components
  (regex allowlist) to defend against path traversal via a buggy or
  compromised server. Applied at StartHLSSession and at the /hls URL
  handler; invalid IDs share the 404 of unknown sessions so the
  accepted format isn't enumerable.
- /health no longer leaks the active filename, taskID prefix or client
  IP to non-loopback callers. Uses net.IP.IsLoopback so IPv4-mapped
  IPv6 (::ffff:127.0.0.1) is recognised and the empty-string parse
  failure stops bypassing the boundary.
- unrar/7z passwords now travel through stdin instead of -p<password>
  in argv, removing /proc/<pid>/cmdline disclosure. Control characters
  in the password are rejected up front so a hostile NZB cannot feed
  extra prompt answers. Both invocations are bounded by a 30-minute
  context to stop indefinite hangs if the tool ever decides to prompt.
2026-05-15 17:10:42 +02:00
..
wire feat(stream): pion-based WebRTC byte streamer for browser playback 2026-05-06 23:12:38 +02:00
debrid.go feat(sync): replace WS+DO transport with unified HTTP sync 2026-04-08 18:50:59 +02:00
debrid_test.go chore: rename module from torrentclaw-cli to unarr 2026-03-30 13:06:07 +02:00
hls.go fix(security): harden HLS session IDs, /health disclosure, archive password handling 2026-05-15 17:10:42 +02:00
hls_test.go fix(security): harden HLS session IDs, /health disclosure, archive password handling 2026-05-15 17:10:42 +02:00
hwaccel.go feat(transcode): dynamic H.264 level + HW probe + capability reporting 2026-05-08 15:57:02 +02:00
hwaccel_test.go feat(stream): pion-based WebRTC byte streamer for browser playback 2026-05-06 23:12:38 +02:00
manager.go feat(sync): replace WS+DO transport with unified HTTP sync 2026-04-08 18:50:59 +02:00
manager_integration_test.go test: add comprehensive test suite for engine, agent and cmd packages 2026-04-08 23:36:00 +02:00
manager_test.go fix(ci): fix lint errors and pin CI to Go 1.25 2026-03-31 22:15:12 +02:00
method.go feat: initial commit — unarr CLI 2026-03-28 11:29:42 +01:00
method_test.go feat(cli): upgrade command, rich status, and version cache 2026-03-31 22:05:43 +02:00
notify.go feat: improve daemon resilience, streaming, and usenet downloads 2026-03-28 21:36:12 +01:00
notify_test.go feat: improve daemon resilience, streaming, and usenet downloads 2026-03-28 21:36:12 +01:00
organize.go feat(organize): use server metadata for file organization and subtitle handling 2026-04-05 23:36:01 +02:00
organize_expand_test.go feat(organize): use server metadata for file organization and subtitle handling 2026-04-05 23:36:01 +02:00
organize_test.go feat: improve daemon resilience, streaming, and usenet downloads 2026-03-28 21:36:12 +01:00
probe.go feat(streaming): add HLS transport pipeline (daemon side) 2026-05-07 16:10:22 +02:00
probe_test.go feat(stream): pion-based WebRTC byte streamer for browser playback 2026-05-06 23:12:38 +02:00
progress.go feat(sync): replace WS+DO transport with unified HTTP sync 2026-04-08 18:50:59 +02:00
progress_test.go fix(ci): fix lint errors and pin CI to Go 1.25 2026-03-31 22:15:12 +02:00
resolve.go feat: initial commit — unarr CLI 2026-03-28 11:29:42 +01:00
resolve_test.go feat: initial commit — unarr CLI 2026-03-28 11:29:42 +01:00
safepath.go feat: initial commit — unarr CLI 2026-03-28 11:29:42 +01:00
safepath_test.go feat: initial commit — unarr CLI 2026-03-28 11:29:42 +01:00
seed_file.go feat(seed-file): unarr-side handler for browser-on-demand seeding (Fase 4.7.c) 2026-05-06 16:28:01 +02:00
seed_file_test.go feat(seed-file): unarr-side handler for browser-on-demand seeding (Fase 4.7.c) 2026-05-06 16:28:01 +02:00
sockopt_unix.go fix(stream): use platform-specific socket options for Windows cross-compilation 2026-04-07 19:18:13 +02:00
sockopt_windows.go fix(stream): use platform-specific socket options for Windows cross-compilation 2026-04-07 19:18:13 +02:00
stream.go fix(stream): fix black screen on remote/Tailscale streaming 2026-04-09 16:15:41 +02:00
stream_player.go feat: initial commit — unarr CLI 2026-03-28 11:29:42 +01:00
stream_server.go fix(security): harden HLS session IDs, /health disclosure, archive password handling 2026-05-15 17:10:42 +02:00
stream_server_extra_test.go test(coverage): raise engine+agent coverage above 50% 2026-05-12 11:21:59 +02:00
stream_server_test.go fix(security): harden HLS session IDs, /health disclosure, archive password handling 2026-05-15 17:10:42 +02:00
stream_source.go fix(transcoder): force main profile + setparams Rec.709 + serveRange wait 2026-05-07 13:48:45 +02:00
stream_source_test.go test(coverage): raise engine+agent coverage above 50% 2026-05-12 11:21:59 +02:00
stream_test.go fix(stream): fix black screen on remote/Tailscale streaming 2026-04-09 16:15:41 +02:00
task.go fix: resolve deadlock, data races and path traversal vulnerabilities 2026-04-08 23:36:18 +02:00
task_test.go fix(lint): use default:none to disable errcheck, fix all gofmt and exhaustive 2026-03-31 00:29:16 +02:00
torrent.go chore(torrent): bump anacrolix log level Critical → Warning for visibility 2026-05-06 21:17:11 +02:00
torrent_test.go test: add comprehensive test suite for engine, agent and cmd packages 2026-04-08 23:36:00 +02:00
transcoder.go feat(transcode): dynamic H.264 level + HW probe + capability reporting 2026-05-08 15:57:02 +02:00
transcoder_test.go test(coverage): raise engine+agent coverage above 50% 2026-05-12 11:21:59 +02:00
upnp.go fix: resolve deadlock, data races and path traversal vulnerabilities 2026-04-08 23:36:18 +02:00
upnp_debug_test.go feat(stream): add NAT-PMP port mapping for remote downloads 2026-04-06 10:09:07 +02:00
upnp_live_test.go feat(stream): add NAT-PMP port mapping for remote downloads 2026-04-06 10:09:07 +02:00
upnp_test.go feat(stream): add NAT-PMP port mapping for remote downloads 2026-04-06 10:09:07 +02:00
usenet.go fix: resolve deadlock, data races and path traversal vulnerabilities 2026-04-08 23:36:18 +02:00
usenet_test.go test(coverage): raise engine+agent coverage above 50% 2026-05-12 11:21:59 +02:00
validate.go fix(security): harden HLS session IDs, /health disclosure, archive password handling 2026-05-15 17:10:42 +02:00
verify.go feat: initial commit — unarr CLI 2026-03-28 11:29:42 +01:00
verify_test.go feat: initial commit — unarr CLI 2026-03-28 11:29:42 +01:00
watch_reporter.go feat(stream): report duration and position in watch progress 2026-04-07 23:29:00 +02:00
watch_reporter_test.go test(coverage): raise engine+agent coverage above 50% 2026-05-12 11:21:59 +02:00
webrtc.go feat(torrent): act as WebTorrent peer for browser ↔ unarr P2P streaming 2026-05-06 08:59:58 +02:00
webrtc_stream.go feat(transcode): dynamic H.264 level + HW probe + capability reporting 2026-05-08 15:57:02 +02:00
webrtc_test.go feat(torrent): act as WebTorrent peer for browser ↔ unarr P2P streaming 2026-05-06 08:59:58 +02:00