060a3e48db
Phase 3 security audit follow-up. Medium and low-severity hardenings plus a deferred-work plan for the cross-repo stream-token rollout. Stream server CORS: replace the wildcard Access-Control-Allow-Origin with an allowlist that echoes back only torrentclaw.com, app.torrentclaw.com, the local Next dev port (3030 — matches the web repo package.json) and any extras the operator adds via the new downloads.cors_extra_origins TOML key. A Vary: Origin header is now emitted whenever the request carries an Origin header so an intermediate cache cannot serve a stale ACAO to a different origin. URL scheme guard: openBrowser and OpenPlayer refuse any URL that is not http(s). Combined with passing the URL after "--" wherever the launched helper supports it (open, mpv, vlc, cvlc), this stops a leading "-" from being parsed as a switch by the spawned process. State file permissions: WriteState now writes 0o600 so the agent ID, PID and counters cannot be enumerated by another local user on a shared host. Matches the existing config file mode. ZIP slip defense-in-depth: extractZip extracts the safety check into safeZipPath, which canonicalises the entry name (normalising backslashes to "/"), rejects "..", "../" prefix and "/../" interior components, and verifies the final destination stays inside destDir before opening any file. Mirror fallback: documented the design for multi-provider mirrors.json hosting in the comment block on DefaultStaticFallbackURLs and added a follow-up note about signing it with the same ed25519 release key. The list is kept at one provider until the second host is provisioned and added to torrentclaw-web's STATIC_FALLBACKS. Deferred work: a new plan document Docs/plans/security-stream-token.md covers the per-task stream token (Phase 2.2 of the original audit) which requires coordinated web + CLI work and ships separately.
69 lines
1.4 KiB
Go
69 lines
1.4 KiB
Go
package cmd
|
|
|
|
import (
|
|
"os"
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
func TestExpandHome(t *testing.T) {
|
|
home, _ := os.UserHomeDir()
|
|
|
|
tests := []struct {
|
|
input string
|
|
want string
|
|
}{
|
|
{"~/Documents", home + "/Documents"},
|
|
{"~/", home},
|
|
{"/absolute/path", "/absolute/path"},
|
|
{"relative/path", "relative/path"},
|
|
{"", ""},
|
|
{"~notexpanded", "~notexpanded"},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.input, func(t *testing.T) {
|
|
got := expandHome(tt.input)
|
|
if got != tt.want {
|
|
t.Errorf("expandHome(%q) = %q, want %q", tt.input, got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestIsSafeBrowserURL(t *testing.T) {
|
|
good := []string{
|
|
"http://localhost:3000",
|
|
"https://torrentclaw.com/some/path?q=1",
|
|
}
|
|
bad := []string{
|
|
"--help",
|
|
"-version",
|
|
"file:///etc/passwd",
|
|
"javascript:alert(1)",
|
|
"data:text/html,foo",
|
|
"ftp://example.com",
|
|
"",
|
|
}
|
|
for _, u := range good {
|
|
if !isSafeBrowserURL(u) {
|
|
t.Errorf("isSafeBrowserURL(%q) = false, want true", u)
|
|
}
|
|
}
|
|
for _, u := range bad {
|
|
if isSafeBrowserURL(u) {
|
|
t.Errorf("isSafeBrowserURL(%q) = true, want false", u)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestDefaultDownloadDir(t *testing.T) {
|
|
dir := defaultDownloadDir()
|
|
if dir == "" {
|
|
t.Error("defaultDownloadDir() returned empty string")
|
|
}
|
|
home, _ := os.UserHomeDir()
|
|
if !strings.HasPrefix(dir, home) {
|
|
t.Errorf("defaultDownloadDir() = %q, expected to start with home dir %q", dir, home)
|
|
}
|
|
}
|