2026-03-28 21:36:12 +01:00
|
|
|
package agent
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"os"
|
|
|
|
|
"path/filepath"
|
|
|
|
|
"time"
|
|
|
|
|
|
2026-03-30 13:06:07 +02:00
|
|
|
"github.com/torrentclaw/unarr/internal/config"
|
2026-03-28 21:36:12 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// DaemonState is written to disk every heartbeat for external tools to read.
|
|
|
|
|
type DaemonState struct {
|
|
|
|
|
AgentID string `json:"agentId"`
|
|
|
|
|
Status string `json:"status"` // running | upgrading | shutting_down
|
|
|
|
|
Version string `json:"version"`
|
|
|
|
|
PID int `json:"pid"`
|
|
|
|
|
StartedAt time.Time `json:"startedAt"`
|
|
|
|
|
LastHeartbeat time.Time `json:"lastHeartbeat"`
|
|
|
|
|
ActiveTasks int `json:"activeTasks"`
|
|
|
|
|
CompletedCount int `json:"completedCount"`
|
|
|
|
|
FailedCount int `json:"failedCount"`
|
|
|
|
|
TotalDownloaded int64 `json:"totalDownloaded"`
|
|
|
|
|
MethodStats map[string]int `json:"methodStats,omitempty"`
|
2026-05-22 08:33:02 +02:00
|
|
|
|
|
|
|
|
// Managed-VPN split-tunnel state, so `unarr vpn status` can report whether
|
|
|
|
|
// torrent traffic is actually being routed through the tunnel (vs. the daemon
|
|
|
|
|
// running but the tunnel having failed to come up → downloading in the clear).
|
|
|
|
|
VPNActive bool `json:"vpnActive,omitempty"`
|
|
|
|
|
VPNMode string `json:"vpnMode,omitempty"` // managed | self-hosted
|
|
|
|
|
VPNServer string `json:"vpnServer,omitempty"` // WireGuard endpoint (ip:port)
|
2026-03-28 21:36:12 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// stateFilePathFn is overridable for testing.
|
|
|
|
|
var stateFilePathFn = func() string {
|
|
|
|
|
return filepath.Join(config.DataDir(), "daemon.state.json")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// StateFilePath returns the path to the daemon state file.
|
|
|
|
|
func StateFilePath() string {
|
|
|
|
|
return stateFilePathFn()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// WriteState writes the daemon state to disk (best-effort, never errors).
|
|
|
|
|
func WriteState(state *DaemonState) {
|
|
|
|
|
path := StateFilePath()
|
|
|
|
|
dir := filepath.Dir(path)
|
|
|
|
|
os.MkdirAll(dir, 0o755)
|
|
|
|
|
|
|
|
|
|
data, err := json.MarshalIndent(state, "", " ")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs
Phase 3 security audit follow-up. Medium and low-severity hardenings
plus a deferred-work plan for the cross-repo stream-token rollout.
Stream server CORS: replace the wildcard Access-Control-Allow-Origin
with an allowlist that echoes back only torrentclaw.com,
app.torrentclaw.com, the local Next dev port (3030 — matches the web
repo package.json) and any extras the operator adds via the new
downloads.cors_extra_origins TOML key. A Vary: Origin header is now
emitted whenever the request carries an Origin header so an
intermediate cache cannot serve a stale ACAO to a different origin.
URL scheme guard: openBrowser and OpenPlayer refuse any URL that is
not http(s). Combined with passing the URL after "--" wherever the
launched helper supports it (open, mpv, vlc, cvlc), this stops a
leading "-" from being parsed as a switch by the spawned process.
State file permissions: WriteState now writes 0o600 so the agent ID,
PID and counters cannot be enumerated by another local user on a
shared host. Matches the existing config file mode.
ZIP slip defense-in-depth: extractZip extracts the safety check into
safeZipPath, which canonicalises the entry name (normalising
backslashes to "/"), rejects "..", "../" prefix and "/../" interior
components, and verifies the final destination stays inside destDir
before opening any file.
Mirror fallback: documented the design for multi-provider
mirrors.json hosting in the comment block on DefaultStaticFallbackURLs
and added a follow-up note about signing it with the same ed25519
release key. The list is kept at one provider until the second host
is provisioned and added to torrentclaw-web's STATIC_FALLBACKS.
Deferred work: a new plan document Docs/plans/security-stream-token.md
covers the per-task stream token (Phase 2.2 of the original audit)
which requires coordinated web + CLI work and ships separately.
2026-05-15 18:48:59 +02:00
|
|
|
// Write to temp file then rename for atomicity. 0o600 keeps the file
|
|
|
|
|
// readable only by the owning user — the state contains agentID, PID
|
|
|
|
|
// and counters which are useful to a co-tenant on a shared host for
|
|
|
|
|
// fingerprinting the daemon, and we already use 0o600 for the config
|
|
|
|
|
// file. No need for cross-user readability here.
|
2026-03-28 21:36:12 +01:00
|
|
|
tmp := path + ".tmp"
|
fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs
Phase 3 security audit follow-up. Medium and low-severity hardenings
plus a deferred-work plan for the cross-repo stream-token rollout.
Stream server CORS: replace the wildcard Access-Control-Allow-Origin
with an allowlist that echoes back only torrentclaw.com,
app.torrentclaw.com, the local Next dev port (3030 — matches the web
repo package.json) and any extras the operator adds via the new
downloads.cors_extra_origins TOML key. A Vary: Origin header is now
emitted whenever the request carries an Origin header so an
intermediate cache cannot serve a stale ACAO to a different origin.
URL scheme guard: openBrowser and OpenPlayer refuse any URL that is
not http(s). Combined with passing the URL after "--" wherever the
launched helper supports it (open, mpv, vlc, cvlc), this stops a
leading "-" from being parsed as a switch by the spawned process.
State file permissions: WriteState now writes 0o600 so the agent ID,
PID and counters cannot be enumerated by another local user on a
shared host. Matches the existing config file mode.
ZIP slip defense-in-depth: extractZip extracts the safety check into
safeZipPath, which canonicalises the entry name (normalising
backslashes to "/"), rejects "..", "../" prefix and "/../" interior
components, and verifies the final destination stays inside destDir
before opening any file.
Mirror fallback: documented the design for multi-provider
mirrors.json hosting in the comment block on DefaultStaticFallbackURLs
and added a follow-up note about signing it with the same ed25519
release key. The list is kept at one provider until the second host
is provisioned and added to torrentclaw-web's STATIC_FALLBACKS.
Deferred work: a new plan document Docs/plans/security-stream-token.md
covers the per-task stream token (Phase 2.2 of the original audit)
which requires coordinated web + CLI work and ships separately.
2026-05-15 18:48:59 +02:00
|
|
|
if err := os.WriteFile(tmp, data, 0o600); err != nil {
|
2026-03-28 21:36:12 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
os.Rename(tmp, path)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ReadState reads the daemon state from disk. Returns nil if not found.
|
|
|
|
|
func ReadState() *DaemonState {
|
|
|
|
|
data, err := os.ReadFile(StateFilePath())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
var state DaemonState
|
|
|
|
|
if json.Unmarshal(data, &state) != nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
return &state
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// RemoveState deletes the state file (called on clean shutdown).
|
|
|
|
|
func RemoveState() {
|
|
|
|
|
os.Remove(StateFilePath())
|
|
|
|
|
}
|