fix: patch SSRF and Path Traversal vulnerabilities in subtitle download

Security fixes for CVE-worthy vulnerabilities (CVSS 4.0: 8.7):

- ZipHelper: Reject path traversal characters (.., /, \) in filenames
- ZipHelper: Add canonical path validation to prevent directory escape
- OpensubtitlesService: Whitelist URLs to opensubtitles.org domains only
- SubtitlesController: Add input validation as defense in depth

This prevents authenticated attackers from:
- Writing arbitrary files via path traversal in subFileName parameter
- Accessing internal services via SSRF in subDownloadLink parameter

Reported by: Valentin Lobstein
CWE-22 (Path Traversal) + CWE-918 (SSRF)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: antonia

grails-app/controllers/streama/SubtitlesController.groovy

@@ -46,10 +46,33 @@ class SubtitlesController {
     def subtitleLink = params.subDownloadLink
     def subtitleLang = params.subLang
     def videoId = params.videoId
-    if (opensubtitlesService.downloadSubtitles(subtitleName, subtitleLink, subtitleLang, videoId)) {
-      respond status: OK
-    } else {
-      respond status: BAD_REQUEST
+
+    // Security fix: Input validation at controller level (defense in depth)
+    // Validate required parameters are present
+    if (!subtitleName || !subtitleLink || !subtitleLang || !videoId) {
+      response.status = BAD_REQUEST.value()
+      respond([error: true, message: "Missing required parameters"])
+      return
+    }
+
+    // Validate subtitleName doesn't contain path traversal characters
+    if (subtitleName.contains("..") || subtitleName.contains("/") || subtitleName.contains("\\")) {
+      log.warn("Security: Blocked potential path traversal in subtitle filename: ${subtitleName}")
+      response.status = BAD_REQUEST.value()
+      respond([error: true, message: "Invalid subtitle filename"])
+      return
+    }
+
+    try {
+      if (opensubtitlesService.downloadSubtitles(subtitleName, subtitleLink, subtitleLang, videoId)) {
+        respond status: OK
+      } else {
+        respond status: BAD_REQUEST
+      }
+    } catch (SecurityException e) {
+      log.error("Security violation in subtitle download: ${e.message}")
+      response.status = BAD_REQUEST.value()
+      respond([error: true, message: e.message])
     }
   }
 

grails-app/services/streama/OpensubtitlesService.groovy

@@ -7,6 +7,7 @@ import org.springframework.http.HttpMethod
 import org.springframework.http.ResponseEntity
 
 import javax.activation.MimetypesFileTypeMap
+import java.net.MalformedURLException
 
 @Transactional
 class OpensubtitlesService {
@@ -78,9 +79,52 @@ class OpensubtitlesService {
     return response
   }
 
+  // Allowed domains for subtitle downloads (SSRF mitigation - CWE-918)
+  private static final List<String> ALLOWED_SUBTITLE_HOSTS = [
+    "dl.opensubtitles.org",
+    "www.opensubtitles.org",
+    "opensubtitles.org",
+    "vip.opensubtitles.org"
+  ]
+
+  /**
+   * Validates that a URL is from an allowed subtitle provider.
+   * This prevents SSRF attacks by ensuring only whitelisted domains are accessed.
+   */
+  private boolean isUrlAllowed(String urlString) {
+    try {
+      URL parsedUrl = new URL(urlString)
+      String host = parsedUrl.getHost()?.toLowerCase()
+      String protocol = parsedUrl.getProtocol()?.toLowerCase()
+
+      // Only allow HTTPS (or HTTP for backwards compatibility with opensubtitles)
+      if (protocol != "https" && protocol != "http") {
+        log.warn("Blocked subtitle download attempt with disallowed protocol: ${protocol}")
+        return false
+      }
+
+      // Check if host is in allowlist
+      if (!ALLOWED_SUBTITLE_HOSTS.contains(host)) {
+        log.warn("Blocked subtitle download attempt from disallowed host: ${host}")
+        return false
+      }
+
+      return true
+    } catch (MalformedURLException e) {
+      log.warn("Blocked subtitle download attempt with malformed URL: ${urlString}")
+      return false
+    }
+  }
+
   def downloadSubtitles(String subtitleName, String url, String subtitleLanguage, videoId) {
     def videoInstance = Video.findById(videoId)
     if (videoInstance != null) {
+      // Security fix: Validate URL before fetching (SSRF mitigation - CWE-918)
+      if (!isUrlAllowed(url)) {
+        log.error("Security: Blocked subtitle download from unauthorized URL: ${url}")
+        throw new SecurityException("Subtitle downloads are only allowed from opensubtitles.org")
+      }
+
       def stagingDir = uploadService.getDir().uploadDir.toString()
       def filename = url.tokenize('/')[-1]
       def filePath = new java.io.File("$stagingDir/$filename")

src/main/groovy/streama/ZipHelper.groovy

@@ -14,8 +14,30 @@ class ZipHelper {
       throw new FileNotFoundException("Failed to unzip file. File not found.")
     }
 
+    // Security fix: Reject path traversal attempts (CWE-22)
+    // Check for path traversal characters BEFORE sanitization to detect attacks
+    if (originalFileName.contains("..") || originalFileName.contains("/") || originalFileName.contains("\\")) {
+      throw new SecurityException("Path traversal attempt detected in filename: ${originalFileName}")
+    }
+
+    // Sanitize filename as defense-in-depth
+    String sanitizedFileName = new File(originalFileName).getName()
+    if (sanitizedFileName.isEmpty() || sanitizedFileName.startsWith(".")) {
+      throw new SecurityException("Invalid filename: filename cannot be empty or start with a dot")
+    }
+
+    // Build target path and validate it's within staging directory
+    File stagingDirFile = new File(stagingDir)
+    File targetFile = new File(stagingDirFile, sanitizedFileName)
+    String canonicalStagingDir = stagingDirFile.getCanonicalPath()
+    String canonicalTargetPath = targetFile.getCanonicalPath()
+
+    if (!canonicalTargetPath.startsWith(canonicalStagingDir + File.separator)) {
+      throw new SecurityException("Path traversal attempt detected: file path escapes staging directory")
+    }
+
     GZIPInputStream gzis = new GZIPInputStream(new FileInputStream(filePath))
-    FileOutputStream fos = new FileOutputStream("$stagingDir/$originalFileName")
+    FileOutputStream fos = new FileOutputStream(targetFile)
 
     int len
     while ((len = gzis.read(buffer)) > 0) {
@@ -24,12 +46,20 @@ class ZipHelper {
 
     gzis.close()
     fos.close()
-    def file = new java.io.File("$stagingDir/$originalFileName")
-    def sha256Hex = file.newInputStream().withStream { stream -> DigestUtils.sha256Hex(stream) }
-    def index = originalFileName.lastIndexOf('.')
-    String extension = originalFileName[index..-1]
-    def newFile = new java.io.File("$stagingDir/$sha256Hex$extension")
-    file.renameTo(newFile)
+
+    // Use the validated targetFile instead of reconstructing path
+    def sha256Hex = targetFile.newInputStream().withStream { stream -> DigestUtils.sha256Hex(stream) }
+    def index = sanitizedFileName.lastIndexOf('.')
+    String extension = sanitizedFileName[index..-1]
+
+    // Validate the new filename is also safe
+    File newFile = new File(stagingDirFile, "$sha256Hex$extension")
+    String canonicalNewPath = newFile.getCanonicalPath()
+    if (!canonicalNewPath.startsWith(canonicalStagingDir + File.separator)) {
+      throw new SecurityException("Path traversal attempt detected in renamed file")
+    }
+
+    targetFile.renameTo(newFile)
     return "$sha256Hex$extension"
   }
 }

src/test/groovy/streama/OpensubtitlesServiceSecuritySpec.groovy

@@ -0,0 +1,79 @@
+package streama
+
+import grails.test.mixin.TestFor
+import spock.lang.Specification
+import spock.lang.Unroll
+
+@TestFor(OpensubtitlesService)
+class OpensubtitlesServiceSecuritySpec extends Specification {
+
+  def setup() {
+    // Mock dependencies
+    service.uploadService = Mock(UploadService) {
+      getDir() >> [uploadDir: File.createTempDir()]
+    }
+  }
+
+  @Unroll
+  def "allows valid opensubtitles URL: #url"() {
+    expect:
+    service.isUrlAllowed(url) == true
+
+    where:
+    url << [
+      "http://dl.opensubtitles.org/en/download/sub/12345",
+      "https://dl.opensubtitles.org/en/download/sub/12345",
+      "http://www.opensubtitles.org/download/sub/67890",
+      "https://opensubtitles.org/download/sub/11111",
+      "http://vip.opensubtitles.org/download/sub/22222"
+    ]
+  }
+
+  @Unroll
+  def "blocks SSRF attack URL: #url"() {
+    expect:
+    service.isUrlAllowed(url) == false
+
+    where:
+    url << [
+      // Internal network SSRF
+      "http://localhost/admin",
+      "http://127.0.0.1/admin",
+      "http://192.168.1.1/admin",
+      "http://10.0.0.1/internal",
+      "http://169.254.169.254/latest/meta-data/",  // AWS metadata
+
+      // External malicious hosts
+      "http://evil.com/payload.gz",
+      "http://attacker.org/shell.gz",
+
+      // Protocol attacks
+      "file:///etc/passwd",
+      "ftp://attacker.com/payload",
+      "gopher://localhost:25/",
+
+      // Subdomain bypass attempts
+      "http://opensubtitles.org.evil.com/",
+      "http://dl.opensubtitles.org.attacker.com/",
+
+      // Malformed URLs
+      "",
+      "not-a-url",
+      "javascript:alert(1)"
+    ]
+  }
+
+  def "downloadSubtitles throws SecurityException for blocked URL"() {
+    given:
+    def video = Mock(Video) {
+      getId() >> 1L
+    }
+    Video.metaClass.static.findById = { id -> video }
+
+    when:
+    service.downloadSubtitles("subtitle.srt", "http://evil.com/payload.gz", "en", 1L)
+
+    then:
+    thrown(SecurityException)
+  }
+}

src/test/groovy/streama/ZipHelperSecuritySpec.groovy

@@ -0,0 +1,94 @@
+package streama
+
+import spock.lang.Specification
+import spock.lang.Unroll
+
+class ZipHelperSecuritySpec extends Specification {
+
+  def stagingDir
+  def testFile
+
+  def setup() {
+    // Create a temporary staging directory for tests
+    stagingDir = File.createTempDir("streama-test-", "-staging")
+
+    // Create a test gzip file
+    testFile = new File(stagingDir, "test.gz")
+    def content = "test content".bytes
+    new java.util.zip.GZIPOutputStream(new FileOutputStream(testFile)).withStream { gz ->
+      gz.write(content)
+    }
+  }
+
+  def cleanup() {
+    // Clean up temp files
+    stagingDir?.deleteDir()
+  }
+
+  def "happy path - valid filename extracts correctly"() {
+    when:
+    def result = ZipHelper.unzipFile(stagingDir.absolutePath, "test.gz", "subtitle.srt")
+
+    then:
+    result.endsWith(".srt")
+    // File should exist in staging dir
+    new File(stagingDir, result).exists()
+  }
+
+  def "happy path - filename with spaces works"() {
+    when:
+    def result = ZipHelper.unzipFile(stagingDir.absolutePath, "test.gz", "my subtitle file.srt")
+
+    then:
+    result.endsWith(".srt")
+    new File(stagingDir, result).exists()
+  }
+
+  @Unroll
+  def "blocks path traversal attack with filename: #maliciousName"() {
+    when:
+    ZipHelper.unzipFile(stagingDir.absolutePath, "test.gz", maliciousName)
+
+    then:
+    def e = thrown(SecurityException)
+    e.message.contains("Path traversal") || e.message.contains("Invalid filename")
+
+    where:
+    maliciousName << [
+      "../../../../etc/passwd",
+      "../../../tmp/pwned.txt",
+      "..\\..\\..\\windows\\system32\\config\\sam",
+      "/etc/passwd",
+      "\\windows\\system32\\config\\sam",
+      "../subtitle.srt",
+      "foo/../bar.srt",
+      "foo/bar.srt"
+    ]
+  }
+
+  def "blocks empty filename"() {
+    when:
+    ZipHelper.unzipFile(stagingDir.absolutePath, "test.gz", "")
+
+    then:
+    def e = thrown(SecurityException)
+    e.message.contains("Invalid filename")
+  }
+
+  def "blocks dotfile filename"() {
+    when:
+    ZipHelper.unzipFile(stagingDir.absolutePath, "test.gz", ".htaccess")
+
+    then:
+    def e = thrown(SecurityException)
+    e.message.contains("Invalid filename")
+  }
+
+  def "blocks double-dot filename"() {
+    when:
+    ZipHelper.unzipFile(stagingDir.absolutePath, "test.gz", "..hidden")
+
+    then:
+    def e = thrown(SecurityException)
+  }
+}