c148cb8ce7
Phase 1 security audit follow-up: - Reject HLS session IDs that aren't safe filesystem components (regex allowlist) to defend against path traversal via a buggy or compromised server. Applied at StartHLSSession and at the /hls URL handler; invalid IDs share the 404 of unknown sessions so the accepted format isn't enumerable. - /health no longer leaks the active filename, taskID prefix or client IP to non-loopback callers. Uses net.IP.IsLoopback so IPv4-mapped IPv6 (::ffff:127.0.0.1) is recognised and the empty-string parse failure stops bypassing the boundary. - unrar/7z passwords now travel through stdin instead of -p<password> in argv, removing /proc/<pid>/cmdline disclosure. Control characters in the password are rejected up front so a hostile NZB cannot feed extra prompt answers. Both invocations are bounded by a 30-minute context to stop indefinite hangs if the tool ever decides to prompt.
12 lines
630 B
Go
12 lines
630 B
Go
// Package engine — validate.go centralises input validators used by the
|
|
// stream/HLS HTTP handlers and the daemon glue. Keep new validators in this
|
|
// file so a future reviewer can audit the trust boundary in one place.
|
|
package engine
|
|
|
|
import "regexp"
|
|
|
|
// validSessionID restricts session IDs to characters safe for use as a single
|
|
// filesystem path component. Server-issued UUIDs and hex strings match this;
|
|
// anything containing slashes, dots, or path separators is rejected so a
|
|
// compromised or buggy server cannot escape hlsTmpDirRoot via os.MkdirAll.
|
|
var validSessionID = regexp.MustCompile(`^[a-zA-Z0-9_-]{1,128}$`)
|