unarr/internal/engine/validate.go

// Package engine — validate.go centralises input validators used by the
// stream/HLS HTTP handlers and the daemon glue. Keep new validators in this
// file so a future reviewer can audit the trust boundary in one place.
package engine

import "regexp"

// validSessionID restricts session IDs to characters safe for use as a single
// filesystem path component. Server-issued UUIDs and hex strings match this;
// anything containing slashes, dots, or path separators is rejected so a
// compromised or buggy server cannot escape hlsTmpDirRoot via os.MkdirAll.
var validSessionID = regexp.MustCompile(`^[a-zA-Z0-9_-]{1,128}$`)

// defaultCORSAllowedOrigins is the baseline of browser origins that may
// XHR-probe `/health` and friends on the local daemon. Production hosts are
// hardcoded; localhost on the dev port used by torrentclaw-web is included
// so dev builds work without extra configuration. Operators may add more
// origins via the [downloads] cors_extra_origins TOML key.
//
// The dev port matches `next dev -p 3030` in torrentclaw-web/package.json.
// 127.0.0.1 is listed in addition to localhost because some browsers treat
// them as distinct origins for CORS.
//
// Note: media tags (<video src>, <audio src>) do not send the Origin
// header so they are not gated by CORS at all; this allowlist only
// affects fetch()/XHR.
var defaultCORSAllowedOrigins = []string{
	"https://torrentclaw.com",
	"https://app.torrentclaw.com",
	"http://localhost:3030",
	"http://127.0.0.1:3030",
}

// buildCORSAllowlist merges the default origins with any extras supplied by
// the operator. Returned map is intended to be installed once at Listen()
// and treated as read-only afterwards.
func buildCORSAllowlist(extra []string) map[string]struct{} {
	out := make(map[string]struct{}, len(defaultCORSAllowedOrigins)+len(extra))
	for _, o := range defaultCORSAllowedOrigins {
		out[o] = struct{}{}
	}
	for _, o := range extra {
		if o != "" {
			out[o] = struct{}{}
		}
	}
	return out
}
fix(security): harden HLS session IDs, /health disclosure, archive password handling Phase 1 security audit follow-up: - Reject HLS session IDs that aren't safe filesystem components (regex allowlist) to defend against path traversal via a buggy or compromised server. Applied at StartHLSSession and at the /hls URL handler; invalid IDs share the 404 of unknown sessions so the accepted format isn't enumerable. - /health no longer leaks the active filename, taskID prefix or client IP to non-loopback callers. Uses net.IP.IsLoopback so IPv4-mapped IPv6 (::ffff:127.0.0.1) is recognised and the empty-string parse failure stops bypassing the boundary. - unrar/7z passwords now travel through stdin instead of -p<password> in argv, removing /proc/<pid>/cmdline disclosure. Control characters in the password are rejected up front so a hostile NZB cannot feed extra prompt answers. Both invocations are bounded by a 30-minute context to stop indefinite hangs if the tool ever decides to prompt. 2026-05-15 17:10:42 +02:00			`// Package engine — validate.go centralises input validators used by the`
			`// stream/HLS HTTP handlers and the daemon glue. Keep new validators in this`
			`// file so a future reviewer can audit the trust boundary in one place.`
			`package engine`

			`import "regexp"`

			`// validSessionID restricts session IDs to characters safe for use as a single`
			`// filesystem path component. Server-issued UUIDs and hex strings match this;`
			`// anything containing slashes, dots, or path separators is rejected so a`
			`// compromised or buggy server cannot escape hlsTmpDirRoot via os.MkdirAll.`
			var validSessionID = regexp.MustCompile(`^[a-zA-Z0-9_-]{1,128}$`)
fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs Phase 3 security audit follow-up. Medium and low-severity hardenings plus a deferred-work plan for the cross-repo stream-token rollout. Stream server CORS: replace the wildcard Access-Control-Allow-Origin with an allowlist that echoes back only torrentclaw.com, app.torrentclaw.com, the local Next dev port (3030 — matches the web repo package.json) and any extras the operator adds via the new downloads.cors_extra_origins TOML key. A Vary: Origin header is now emitted whenever the request carries an Origin header so an intermediate cache cannot serve a stale ACAO to a different origin. URL scheme guard: openBrowser and OpenPlayer refuse any URL that is not http(s). Combined with passing the URL after "--" wherever the launched helper supports it (open, mpv, vlc, cvlc), this stops a leading "-" from being parsed as a switch by the spawned process. State file permissions: WriteState now writes 0o600 so the agent ID, PID and counters cannot be enumerated by another local user on a shared host. Matches the existing config file mode. ZIP slip defense-in-depth: extractZip extracts the safety check into safeZipPath, which canonicalises the entry name (normalising backslashes to "/"), rejects "..", "../" prefix and "/../" interior components, and verifies the final destination stays inside destDir before opening any file. Mirror fallback: documented the design for multi-provider mirrors.json hosting in the comment block on DefaultStaticFallbackURLs and added a follow-up note about signing it with the same ed25519 release key. The list is kept at one provider until the second host is provisioned and added to torrentclaw-web's STATIC_FALLBACKS. Deferred work: a new plan document Docs/plans/security-stream-token.md covers the per-task stream token (Phase 2.2 of the original audit) which requires coordinated web + CLI work and ships separately. 2026-05-15 18:48:59 +02:00
			`// defaultCORSAllowedOrigins is the baseline of browser origins that may`
			// XHR-probe `/health` and friends on the local daemon. Production hosts are
			`// hardcoded; localhost on the dev port used by torrentclaw-web is included`
			`// so dev builds work without extra configuration. Operators may add more`
			`// origins via the [downloads] cors_extra_origins TOML key.`
			`//`
			// The dev port matches `next dev -p 3030` in torrentclaw-web/package.json.
			`// 127.0.0.1 is listed in addition to localhost because some browsers treat`
			`// them as distinct origins for CORS.`
			`//`
			`// Note: media tags (<video src>, <audio src>) do not send the Origin`
			`// header so they are not gated by CORS at all; this allowlist only`
			`// affects fetch()/XHR.`
			`var defaultCORSAllowedOrigins = []string{`
			`"https://torrentclaw.com",`
			`"https://app.torrentclaw.com",`
			`"http://localhost:3030",`
			`"http://127.0.0.1:3030",`
			`}`

			`// buildCORSAllowlist merges the default origins with any extras supplied by`
			`// the operator. Returned map is intended to be installed once at Listen()`
			`// and treated as read-only afterwards.`
			`func buildCORSAllowlist(extra []string) map[string]struct{} {`
			`out := make(map[string]struct{}, len(defaultCORSAllowedOrigins)+len(extra))`
			`for _, o := range defaultCORSAllowedOrigins {`
			`out[o] = struct{}{}`
			`}`
			`for _, o := range extra {`
			`if o != "" {`
			`out[o] = struct{}{}`
			`}`
			`}`
			`return out`
			`}`