add missing url check from whitelist

madiele · May 6, 2023 · f630d3e · f630d3e
1 parent 3ac0143
commit f630d3e
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 4 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -14,9 +14,9 @@ services:
 
   vod2pod:
     extends: api_keys
+    image: madiele/vod2pod-rss:beta
     build:
         context: .
-    image: madiele/vod-to-podcast
     depends_on:
       - redis
     restart: unless-stopped
@@ -33,7 +33,7 @@ services:
       - REDIS_ADDRESS=redis #don't edit this
       - REDIS_PORT=6379 #don't edit this
       # put here any url (scheme included) you want to allow for rss conversion separated by comma
-      - VALID_URL_DOMAINS=https://www.youtube.com/,https://youtube.com/,https://www.youtu.be/,https://www.twitch.tv/,https://twitch.tv/,https://m.twitch.tv/
+      - VALID_URL_DOMAINS=https://*.youtube.com/,https://youtube.com/,https://youtu.be/,https://*.youtu.be/,https://*.twitch.tv/,https://twitch.tv/,https://*.googlevideo.com/,https://*.cloudfront.net/
 
   redis:
     image: "redis:6.2"

diff --git a/src/configs/mod.rs b/src/configs/mod.rs
@@ -56,7 +56,7 @@ impl Conf for EnvConf {
                 }
                 Ok(folder)
             },
-            ConfName::ValidUrlDomains => Ok(std::env::var("VALID_URL_DOMAINS").unwrap_or_else(|_| "https://www.youtube.com/,https://youtube.com/,https://www.youtu.be/,https://www.twitch.tv/,https://twitch.tv/,https://m.twitch.tv/".to_string())),
+            ConfName::ValidUrlDomains => Ok(std::env::var("VALID_URL_DOMAINS").unwrap_or_else(|_| "https://*.youtube.com/,https://youtube.com/,https://youtu.be/,https://*.youtu.be/,https://*.twitch.tv/,https://twitch.tv/,https://*.googlevideo.com/,https://*.cloudfront.net/".to_string())),
         }
     }
 }
diff --git a/src/main.rs b/src/main.rs
@@ -167,6 +167,11 @@ async fn transcode(
         }
     }
 
+    if !url_convert::check_if_in_whitelist(&stream_url) {
+        error!("supplied url ({stream_url}) not in whitelist (whitelist is needed to prevent SSRF attack)");
+        return HttpResponse::Forbidden().body("scheme and host not in whitelist");
+    }
+
     // Range header parsing
     const DEFAULT_CONTENT_RANGE: &str = "0-";
     let content_range_str = match req.headers().get("Range") {

diff --git a/src/url_convert/mod.rs b/src/url_convert/mod.rs
@@ -12,7 +12,11 @@ use crate::configs::{conf, ConfName, Conf};
 pub fn check_if_in_whitelist(url: &Url) -> bool {
     let valid_domains: Vec<Url> = conf().get(ConfName::ValidUrlDomains).unwrap().split(",").map(|s| Url::parse(s).unwrap()).collect();
     let is_valid = valid_domains.iter().any(|valid_domain| {
-        url.scheme() == valid_domain.scheme() && url.host_str() == valid_domain.host_str()
+            if valid_domain.host_str().unwrap().starts_with("*.") {
+                let valid_suffix = &valid_domain.host_str().unwrap()[2..];
+                return url.scheme() == valid_domain.scheme() && url.host_str().unwrap().ends_with(valid_suffix);
+            }
+            return url.scheme() == valid_domain.scheme() && url.host_str() == valid_domain.host_str();
     });
     return is_valid;
 }