2026-05-15 17:10:42 +02:00
|
|
|
// Package engine — validate.go centralises input validators used by the
|
|
|
|
|
// stream/HLS HTTP handlers and the daemon glue. Keep new validators in this
|
|
|
|
|
// file so a future reviewer can audit the trust boundary in one place.
|
|
|
|
|
package engine
|
|
|
|
|
|
|
|
|
|
import "regexp"
|
|
|
|
|
|
|
|
|
|
// validSessionID restricts session IDs to characters safe for use as a single
|
|
|
|
|
// filesystem path component. Server-issued UUIDs and hex strings match this;
|
|
|
|
|
// anything containing slashes, dots, or path separators is rejected so a
|
|
|
|
|
// compromised or buggy server cannot escape hlsTmpDirRoot via os.MkdirAll.
|
|
|
|
|
var validSessionID = regexp.MustCompile(`^[a-zA-Z0-9_-]{1,128}$`)
|
fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs
Phase 3 security audit follow-up. Medium and low-severity hardenings
plus a deferred-work plan for the cross-repo stream-token rollout.
Stream server CORS: replace the wildcard Access-Control-Allow-Origin
with an allowlist that echoes back only torrentclaw.com,
app.torrentclaw.com, the local Next dev port (3030 — matches the web
repo package.json) and any extras the operator adds via the new
downloads.cors_extra_origins TOML key. A Vary: Origin header is now
emitted whenever the request carries an Origin header so an
intermediate cache cannot serve a stale ACAO to a different origin.
URL scheme guard: openBrowser and OpenPlayer refuse any URL that is
not http(s). Combined with passing the URL after "--" wherever the
launched helper supports it (open, mpv, vlc, cvlc), this stops a
leading "-" from being parsed as a switch by the spawned process.
State file permissions: WriteState now writes 0o600 so the agent ID,
PID and counters cannot be enumerated by another local user on a
shared host. Matches the existing config file mode.
ZIP slip defense-in-depth: extractZip extracts the safety check into
safeZipPath, which canonicalises the entry name (normalising
backslashes to "/"), rejects "..", "../" prefix and "/../" interior
components, and verifies the final destination stays inside destDir
before opening any file.
Mirror fallback: documented the design for multi-provider
mirrors.json hosting in the comment block on DefaultStaticFallbackURLs
and added a follow-up note about signing it with the same ed25519
release key. The list is kept at one provider until the second host
is provisioned and added to torrentclaw-web's STATIC_FALLBACKS.
Deferred work: a new plan document Docs/plans/security-stream-token.md
covers the per-task stream token (Phase 2.2 of the original audit)
which requires coordinated web + CLI work and ships separately.
2026-05-15 18:48:59 +02:00
|
|
|
|
|
|
|
|
// defaultCORSAllowedOrigins is the baseline of browser origins that may
|
|
|
|
|
// XHR-probe `/health` and friends on the local daemon. Production hosts are
|
|
|
|
|
// hardcoded; localhost on the dev port used by torrentclaw-web is included
|
|
|
|
|
// so dev builds work without extra configuration. Operators may add more
|
|
|
|
|
// origins via the [downloads] cors_extra_origins TOML key.
|
|
|
|
|
//
|
|
|
|
|
// The dev port matches `next dev -p 3030` in torrentclaw-web/package.json.
|
|
|
|
|
// 127.0.0.1 is listed in addition to localhost because some browsers treat
|
|
|
|
|
// them as distinct origins for CORS.
|
|
|
|
|
//
|
2026-05-27 10:06:54 +02:00
|
|
|
// Mirrors (`.to`, `staging.torrentclaw.com`, `www.`) are listed so a user
|
|
|
|
|
// playing from any official mirror succeeds the HEAD probe; without these
|
|
|
|
|
// the browser drops the response for "missing ACAO" and the player reports
|
|
|
|
|
// "404 todos los canales" even though the daemon returned 200.
|
|
|
|
|
//
|
fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs
Phase 3 security audit follow-up. Medium and low-severity hardenings
plus a deferred-work plan for the cross-repo stream-token rollout.
Stream server CORS: replace the wildcard Access-Control-Allow-Origin
with an allowlist that echoes back only torrentclaw.com,
app.torrentclaw.com, the local Next dev port (3030 — matches the web
repo package.json) and any extras the operator adds via the new
downloads.cors_extra_origins TOML key. A Vary: Origin header is now
emitted whenever the request carries an Origin header so an
intermediate cache cannot serve a stale ACAO to a different origin.
URL scheme guard: openBrowser and OpenPlayer refuse any URL that is
not http(s). Combined with passing the URL after "--" wherever the
launched helper supports it (open, mpv, vlc, cvlc), this stops a
leading "-" from being parsed as a switch by the spawned process.
State file permissions: WriteState now writes 0o600 so the agent ID,
PID and counters cannot be enumerated by another local user on a
shared host. Matches the existing config file mode.
ZIP slip defense-in-depth: extractZip extracts the safety check into
safeZipPath, which canonicalises the entry name (normalising
backslashes to "/"), rejects "..", "../" prefix and "/../" interior
components, and verifies the final destination stays inside destDir
before opening any file.
Mirror fallback: documented the design for multi-provider
mirrors.json hosting in the comment block on DefaultStaticFallbackURLs
and added a follow-up note about signing it with the same ed25519
release key. The list is kept at one provider until the second host
is provisioned and added to torrentclaw-web's STATIC_FALLBACKS.
Deferred work: a new plan document Docs/plans/security-stream-token.md
covers the per-task stream token (Phase 2.2 of the original audit)
which requires coordinated web + CLI work and ships separately.
2026-05-15 18:48:59 +02:00
|
|
|
// Note: media tags (<video src>, <audio src>) do not send the Origin
|
|
|
|
|
// header so they are not gated by CORS at all; this allowlist only
|
|
|
|
|
// affects fetch()/XHR.
|
|
|
|
|
var defaultCORSAllowedOrigins = []string{
|
|
|
|
|
"https://torrentclaw.com",
|
2026-05-27 10:06:54 +02:00
|
|
|
"https://www.torrentclaw.com",
|
fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs
Phase 3 security audit follow-up. Medium and low-severity hardenings
plus a deferred-work plan for the cross-repo stream-token rollout.
Stream server CORS: replace the wildcard Access-Control-Allow-Origin
with an allowlist that echoes back only torrentclaw.com,
app.torrentclaw.com, the local Next dev port (3030 — matches the web
repo package.json) and any extras the operator adds via the new
downloads.cors_extra_origins TOML key. A Vary: Origin header is now
emitted whenever the request carries an Origin header so an
intermediate cache cannot serve a stale ACAO to a different origin.
URL scheme guard: openBrowser and OpenPlayer refuse any URL that is
not http(s). Combined with passing the URL after "--" wherever the
launched helper supports it (open, mpv, vlc, cvlc), this stops a
leading "-" from being parsed as a switch by the spawned process.
State file permissions: WriteState now writes 0o600 so the agent ID,
PID and counters cannot be enumerated by another local user on a
shared host. Matches the existing config file mode.
ZIP slip defense-in-depth: extractZip extracts the safety check into
safeZipPath, which canonicalises the entry name (normalising
backslashes to "/"), rejects "..", "../" prefix and "/../" interior
components, and verifies the final destination stays inside destDir
before opening any file.
Mirror fallback: documented the design for multi-provider
mirrors.json hosting in the comment block on DefaultStaticFallbackURLs
and added a follow-up note about signing it with the same ed25519
release key. The list is kept at one provider until the second host
is provisioned and added to torrentclaw-web's STATIC_FALLBACKS.
Deferred work: a new plan document Docs/plans/security-stream-token.md
covers the per-task stream token (Phase 2.2 of the original audit)
which requires coordinated web + CLI work and ships separately.
2026-05-15 18:48:59 +02:00
|
|
|
"https://app.torrentclaw.com",
|
2026-05-27 10:06:54 +02:00
|
|
|
"https://staging.torrentclaw.com",
|
|
|
|
|
"https://torrentclaw.to",
|
|
|
|
|
"https://www.torrentclaw.to",
|
2026-05-31 14:20:49 +02:00
|
|
|
// unarr brand (separate deployment). The web player + agent endpoints run
|
|
|
|
|
// under unarr.app; without these the browser drops every /hls + /stream
|
|
|
|
|
// response (no Access-Control-Allow-Origin) and playback fails on unarr.
|
|
|
|
|
"https://unarr.app",
|
|
|
|
|
"https://www.unarr.app",
|
2026-05-27 10:06:54 +02:00
|
|
|
// Tor mirror — Tor Browser sends `Origin: http://<addr>.onion` (plain
|
|
|
|
|
// http, no port). Mirror address is the BUILT_IN_ONION constant from
|
|
|
|
|
// torrentclaw-web/src/lib/mirrors-config.ts; rotates rarely, kept in
|
|
|
|
|
// sync by hand. Daemon also dynamically merges /api/mirrors at startup
|
|
|
|
|
// (see daemon.go) so a new key doesn't need a CLI rebuild.
|
|
|
|
|
"http://torrentf3aifidcsaaanmnmuhv2s53r6hqsl3zkmfidiaxainkeqk5id.onion",
|
fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs
Phase 3 security audit follow-up. Medium and low-severity hardenings
plus a deferred-work plan for the cross-repo stream-token rollout.
Stream server CORS: replace the wildcard Access-Control-Allow-Origin
with an allowlist that echoes back only torrentclaw.com,
app.torrentclaw.com, the local Next dev port (3030 — matches the web
repo package.json) and any extras the operator adds via the new
downloads.cors_extra_origins TOML key. A Vary: Origin header is now
emitted whenever the request carries an Origin header so an
intermediate cache cannot serve a stale ACAO to a different origin.
URL scheme guard: openBrowser and OpenPlayer refuse any URL that is
not http(s). Combined with passing the URL after "--" wherever the
launched helper supports it (open, mpv, vlc, cvlc), this stops a
leading "-" from being parsed as a switch by the spawned process.
State file permissions: WriteState now writes 0o600 so the agent ID,
PID and counters cannot be enumerated by another local user on a
shared host. Matches the existing config file mode.
ZIP slip defense-in-depth: extractZip extracts the safety check into
safeZipPath, which canonicalises the entry name (normalising
backslashes to "/"), rejects "..", "../" prefix and "/../" interior
components, and verifies the final destination stays inside destDir
before opening any file.
Mirror fallback: documented the design for multi-provider
mirrors.json hosting in the comment block on DefaultStaticFallbackURLs
and added a follow-up note about signing it with the same ed25519
release key. The list is kept at one provider until the second host
is provisioned and added to torrentclaw-web's STATIC_FALLBACKS.
Deferred work: a new plan document Docs/plans/security-stream-token.md
covers the per-task stream token (Phase 2.2 of the original audit)
which requires coordinated web + CLI work and ships separately.
2026-05-15 18:48:59 +02:00
|
|
|
"http://localhost:3030",
|
|
|
|
|
"http://127.0.0.1:3030",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// buildCORSAllowlist merges the default origins with any extras supplied by
|
|
|
|
|
// the operator. Returned map is intended to be installed once at Listen()
|
|
|
|
|
// and treated as read-only afterwards.
|
|
|
|
|
func buildCORSAllowlist(extra []string) map[string]struct{} {
|
|
|
|
|
out := make(map[string]struct{}, len(defaultCORSAllowedOrigins)+len(extra))
|
|
|
|
|
for _, o := range defaultCORSAllowedOrigins {
|
|
|
|
|
out[o] = struct{}{}
|
|
|
|
|
}
|
|
|
|
|
for _, o := range extra {
|
|
|
|
|
if o != "" {
|
|
|
|
|
out[o] = struct{}{}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return out
|
|
|
|
|
}
|