3pp-mirror/snapcast
1
0
Fork 0
mirror of https://github.com/badaix/snapcast.git synced 2025-04-28 17:57:05 +02:00
Code Issues Projects Releases Packages Wiki Activity

controlscript must be located in plugin_dir

Browse source
This commit is contained in:
badaix 2025-01-21 22:25:04 +01:00
parent be266c07ce
commit 8e9806f35c
13 changed files with 137 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
common/utils/string_utils.cpp
View file

@ -1,6 +1,6 @@
/*** /***
This file is part of snapcast This file is part of snapcast
Copyright (C) 2014-2024 Johannes Pohl Copyright (C) 2014-2025 Johannes Pohl
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -105,6 +105,31 @@ std::string trim_copy(const std::string& s)
return trim(str); return trim(str);
} }
std::string urlEncode(const std::string& str)
{
std::ostringstream os;
for (std::string::const_iterator ci = str.begin(); ci != str.end(); ++ci)
{
if ((*ci >= 'a' && *ci <= 'z') || (*ci >= 'A' && *ci <= 'Z') || (*ci >= '0' && *ci <= '9'))
{ // allowed
os << *ci;
}
else if (*ci == ' ')
{
os << '+';
}
else
{
auto toHex = [](unsigned char x) { return static_cast<unsigned char>(x + (x > 9 ? ('A' - 10) : '0')); };
os << '%' << toHex(*ci >> 4) << toHex(*ci % 16);
}
}
return os.str();
}
// decode %xx to char // decode %xx to char
std::string uriDecode(const std::string& src) std::string uriDecode(const std::string& src)
{ {

5
common/utils/string_utils.hpp
View file

@ -1,6 +1,6 @@
/*** /***
This file is part of snapcast This file is part of snapcast
Copyright (C) 2014-2024 Johannes Pohl Copyright (C) 2014-2025 Johannes Pohl
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -54,6 +54,9 @@ std::string trim_copy(const std::string& s);
/// decode %xx to char /// decode %xx to char
std::string uriDecode(const std::string& src); std::string uriDecode(const std::string& src);
/// @return uri encoded version of @p str
std::string urlEncode(const std::string& str);
/// Split string @p s at @p delim into @p left and @p right /// Split string @p s at @p delim into @p left and @p right
void split_left(const std::string& s, char delim, std::string& left, std::string& right); void split_left(const std::string& s, char delim, std::string& left, std::string& right);

2
doc/json_rpc_api/control.md
View file

@ -485,7 +485,7 @@ See [Plugin.Stream.Player.SetProperty](stream_plugin.md#pluginstreamplayersetpro
### Stream.AddStream ### Stream.AddStream
Note: For security purposes, the RPC interface allows only adding streams of these types: `pipe`, `file`, `tcp`, `alsa`, `jack` and `meta`. Note: For security purposes, the RPC interface allows only adding streams of these types: `pipe`, `file`, `tcp`, `alsa`, `jack` and `meta`.
It is also not allowed to set the `controlscript` query parameter of `streamUri`. The optional`controlscript` of the `streamUri` must be located in `[stream] plugin_dir` (configured in `snapserver.conf`, default `/usr/share/snapserver/plug-ins`), can be an absolute or relative path.
#### Request #### Request

35
server/control_requests.cpp
View file

@ -22,11 +22,13 @@
// local headers // local headers
#include "common/aixlog.hpp" #include "common/aixlog.hpp"
#include "common/message/server_settings.hpp" #include "common/message/server_settings.hpp"
#include "jsonrpcpp.hpp"
#include "server.hpp" #include "server.hpp"
// 3rd party headers // 3rd party headers
// standard headers // standard headers
#include <filesystem>
#include <memory> #include <memory>
#include <tuple> #include <tuple>
@ -692,18 +694,35 @@ void StreamAddRequest::execute(const jsonrpcpp::request_ptr& request, AuthInfo&
// Don't allow adding streams that start a user defined process: CVE-2023-36177 // Don't allow adding streams that start a user defined process: CVE-2023-36177
static constexpr std::array whitelist{"pipe", "file", "tcp", "alsa", "jack", "meta"}; static constexpr std::array whitelist{"pipe", "file", "tcp", "alsa", "jack", "meta"};
const std::string stream_uri = request->params().get("streamUri"); std::string stream_uri = request->params().get("streamUri");
const StreamUri parsedUri(stream_uri); StreamUri parsed_uri(stream_uri);
if (std::find(whitelist.begin(), whitelist.end(), parsedUri.scheme) == whitelist.end()) if (std::find(whitelist.begin(), whitelist.end(), parsed_uri.scheme) == whitelist.end())
throw jsonrpcpp::InvalidParamsException("Adding '" + parsedUri.scheme + "' streams is not allowed", request->id()); throw jsonrpcpp::InvalidParamsException("Adding '" + parsed_uri.scheme + "' streams is not allowed", request->id());
// Don't allow settings the controlscript streamUri property std::filesystem::path script = parsed_uri.getQuery("controlscript");
if (!parsedUri.getQuery("controlscript").empty()) if (!script.empty())
throw jsonrpcpp::InvalidParamsException("No 'controlscript' streamUri property allowed", request->id()); {
// script must be located in the [stream] plugin_dir
std::filesystem::path plugin_dir = getSettings().stream.plugin_dir;
// if script file name is relative, prepend the plugin_dir
if (!script.is_absolute())
script = plugin_dir / script;
// convert to normalized absolute path
script = std::filesystem::weakly_canonical(script);
LOG(DEBUG, LOG_TAG) << "controlscript: " << script.native() << "\n";
// check if script is directly located in plugin_dir
if (script.parent_path() != plugin_dir)
throw jsonrpcpp::InvalidParamsException("controlscript must be located in '" + plugin_dir.native() + "'");
if (!std::filesystem::exists(script))
throw jsonrpcpp::InvalidParamsException("controlscript '" + script.native() + "' does not exist");
parsed_uri.query["controlscript"] = script;
LOG(DEBUG, LOG_TAG) << "Raw stream uri: " << stream_uri << "\n";
stream_uri = parsed_uri.toString();
}
std::ignore = authinfo; std::ignore = authinfo;
LOG(INFO, LOG_TAG) << "Stream.AddStream(" << request->params().get("streamUri") << ")\n"; LOG(INFO, LOG_TAG) << "Stream.AddStream(" << stream_uri << ")\n";
// Add stream // Add stream
PcmStreamPtr stream = getStreamManager().addStream(stream_uri); PcmStreamPtr stream = getStreamManager().addStream(stream_uri);

3
server/etc/snapserver.conf
View file

@ -166,6 +166,9 @@ doc_root = /usr/share/snapserver/snapweb
# meta: meta:///<name of source#1>/<name of source#2>/.../<name of source#N>?name=<name> # meta: meta:///<name of source#1>/<name of source#2>/.../<name of source#N>?name=<name>
source = pipe:///tmp/snapfifo?name=default source = pipe:///tmp/snapfifo?name=default
# Plugin directory, containing scripts, referred by "controlscript"
# plugin_dir = /usr/share/snapserver/plug-ins
# Default sample format: <sample rate>:<bits per sample>:<channels> # Default sample format: <sample rate>:<bits per sample>:<channels>
#sampleformat = 48000:16:2 #sampleformat = 48000:16:2

3
server/server_settings.hpp
View file

@ -1,6 +1,6 @@
/*** /***
This file is part of snapcast This file is part of snapcast
Copyright (C) 2014-2024 Johannes Pohl Copyright (C) 2014-2025 Johannes Pohl
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -92,6 +92,7 @@ struct ServerSettings
struct Stream struct Stream
{ {
size_t port{1704}; size_t port{1704};
std::filesystem::path plugin_dir{"/usr/share/snapserver/plug-ins"};
std::vector<std::string> sources; std::vector<std::string> sources;
std::string codec{"flac"}; std::string codec{"flac"};
int32_t bufferMs{1000}; int32_t bufferMs{1000};

3
server/snapserver.cpp
View file

@ -113,6 +113,7 @@ int main(int argc, char* argv[])
settings.tcp.bind_to_address.front(), &settings.tcp.bind_to_address[0]); settings.tcp.bind_to_address.front(), &settings.tcp.bind_to_address[0]);
// stream settings // stream settings
conf.add<Value<std::filesystem::path>>("", "stream.plugin_dir", "stream plugin directory", settings.stream.plugin_dir, &settings.stream.plugin_dir);
auto stream_bind_to_address = conf.add<Value<string>>("", "stream.bind_to_address", "address for the server to listen on", auto stream_bind_to_address = conf.add<Value<string>>("", "stream.bind_to_address", "address for the server to listen on",
settings.stream.bind_to_address.front(), &settings.stream.bind_to_address[0]); settings.stream.bind_to_address.front(), &settings.stream.bind_to_address[0]);
conf.add<Value<size_t>>("", "stream.port", "which port the server should listen on", settings.stream.port, &settings.stream.port); conf.add<Value<size_t>>("", "stream.port", "which port the server should listen on", settings.stream.port, &settings.stream.port);
@ -296,6 +297,8 @@ int main(int argc, char* argv[])
if (!streamValue->is_set() && !sourceValue->is_set()) if (!streamValue->is_set() && !sourceValue->is_set())
settings.stream.sources.push_back(sourceValue->value()); settings.stream.sources.push_back(sourceValue->value());
settings.stream.plugin_dir = std::filesystem::weakly_canonical(settings.stream.plugin_dir);
LOG(INFO, LOG_TAG) << "Stream plugin directory: " << settings.stream.plugin_dir << "\n";
for (size_t n = 0; n < streamValue->count(); ++n) for (size_t n = 0; n < streamValue->count(); ++n)
{ {
LOG(INFO, LOG_TAG) << "Adding stream: " << streamValue->value(n) << "\n"; LOG(INFO, LOG_TAG) << "Adding stream: " << streamValue->value(n) << "\n";

2
server/streamreader/pcm_stream.cpp
View file

@ -72,7 +72,7 @@ PcmStream::PcmStream(PcmStream::Listener* pcmListener, boost::asio::io_context&
std::string params; std::string params;
if (uri_.query.find(kControlScriptParams) != uri_.query.end()) if (uri_.query.find(kControlScriptParams) != uri_.query.end())
params = uri_.query[kControlScriptParams]; params = uri_.query[kControlScriptParams];
stream_ctrl_ = std::make_unique<ScriptStreamControl>(strand_, uri_.query[kControlScript], params); stream_ctrl_ = std::make_unique<ScriptStreamControl>(strand_, server_settings_.stream.plugin_dir, uri_.query[kControlScript], std::move(params));
} }
if (uri_.query.find(kUriChunkMs) != uri_.query.end()) if (uri_.query.find(kUriChunkMs) != uri_.query.end())

10
server/streamreader/stream_control.cpp
View file

@ -129,15 +129,15 @@ void StreamControl::onLog(std::string message)
ScriptStreamControl::ScriptStreamControl(const boost::asio::any_io_executor& executor, const std::string& script, const std::string& params) ScriptStreamControl::ScriptStreamControl(const boost::asio::any_io_executor& executor, const std::filesystem::path& plugin_dir, std::string script,
: StreamControl(executor), script_(script), params_(params) std::string params)
: StreamControl(executor), script_(std::move(script)), params_(std::move(params))
{ {
namespace fs = utils::file; namespace fs = utils::file;
if (!fs::exists(script_)) if (!fs::exists(script_))
{ {
std::string plugin_path = "/usr/share/snapserver/plug-ins/"; if (fs::exists(plugin_dir / script_))
if (fs::exists(plugin_path + script_)) script_ = plugin_dir / script_;
script_ = plugin_path + script_;
else else
throw SnapException("Control script not found: \"" + script_ + "\""); throw SnapException("Control script not found: \"" + script_ + "\"");
} }

5
server/streamreader/stream_control.hpp
View file

@ -28,6 +28,7 @@
#include <boost/process.hpp> #include <boost/process.hpp>
// standard headers // standard headers
#include <filesystem>
#include <map> #include <map>
#include <string> #include <string>
@ -78,10 +79,10 @@ private:
class ScriptStreamControl : public StreamControl class ScriptStreamControl : public StreamControl
{ {
public: public:
ScriptStreamControl(const boost::asio::any_io_executor& executor, const std::string& script, const std::string& params); ScriptStreamControl(const boost::asio::any_io_executor& executor, const std::filesystem::path& plugin_dir, std::string script, std::string params);
virtual ~ScriptStreamControl() = default; virtual ~ScriptStreamControl() = default;
protected: private:
/// Send a message to stdin of the process /// Send a message to stdin of the process
void doCommand(const jsonrpcpp::Request& request) override; void doCommand(const jsonrpcpp::Request& request) override;
void doStart(const std::string& stream_id, const ServerSettings& server_setttings) override; void doStart(const std::string& stream_id, const ServerSettings& server_setttings) override;

38
server/streamreader/stream_uri.cpp
View file

@ -1,6 +1,6 @@
/*** /***
This file is part of snapcast This file is part of snapcast
Copyright (C) 2014-2024 Johannes Pohl Copyright (C) 2014-2025 Johannes Pohl
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -31,6 +31,8 @@
using namespace std; using namespace std;
namespace strutils = utils::string; namespace strutils = utils::string;
static constexpr auto LOG_TAG = "StreamUri";
namespace streamreader namespace streamreader
{ {
@ -40,34 +42,39 @@ StreamUri::StreamUri(const std::string& uri)
} }
void StreamUri::parse(const std::string& streamUri) void StreamUri::parse(const std::string& stream_uri)
{ {
// https://en.wikipedia.org/wiki/Uniform_Resource_Identifier // https://en.wikipedia.org/wiki/Uniform_Resource_Identifier
// scheme:[//[user:password@]host[:port]][/]path[?query][#fragment] // scheme:[//[user:password@]host[:port]][/]path[?query][#fragment]
// would be more elegant with regex. Not yet supported on my dev machine's gcc 4.8 :( // would be more elegant with regex. Not yet supported on my dev machine's gcc 4.8 :(
LOG(DEBUG) << "StreamUri: " << streamUri << "\n"; LOG(DEBUG, LOG_TAG) << "StreamUri: " << stream_uri << "\n";
size_t pos; size_t pos;
uri = strutils::trim_copy(streamUri);
// Remove leading and trailing quotes
uri = strutils::trim_copy(stream_uri);
while (!uri.empty() && ((uri[0] == '\'') || (uri[0] == '"'))) while (!uri.empty() && ((uri[0] == '\'') || (uri[0] == '"')))
uri = uri.substr(1); uri = uri.substr(1);
while (!uri.empty() && ((uri[uri.length() - 1] == '\'') || (uri[uri.length() - 1] == '"'))) while (!uri.empty() && ((uri[uri.length() - 1] == '\'') || (uri[uri.length() - 1] == '"')))
uri = uri.substr(0, this->uri.length() - 1); uri = uri.substr(0, this->uri.length() - 1);
// string decodedUri = strutils::uriDecode(uri); // string decodedUri = strutils::uriDecode(uri);
// LOG(DEBUG) << "StreamUri decoded: " << decodedUri << "\n"; // LOG(DEBUG, LOG_TAG) << "StreamUri decoded: " << decodedUri << "\n";
string tmp(uri); string tmp(uri);
// Parse scheme
pos = tmp.find(':'); pos = tmp.find(':');
if (pos == string::npos) if (pos == string::npos)
throw invalid_argument("missing ':'"); throw invalid_argument("missing ':'");
scheme = strutils::uriDecode(strutils::trim_copy(tmp.substr(0, pos))); scheme = strutils::uriDecode(strutils::trim_copy(tmp.substr(0, pos)));
tmp = tmp.substr(pos + 1); tmp = tmp.substr(pos + 1);
LOG(TRACE) << "scheme: '" << scheme << "', tmp: '" << tmp << "'\n"; LOG(TRACE, LOG_TAG) << "scheme: '" << scheme << "', tmp: '" << tmp << "'\n";
// tmp = //[user:password@]host[:port][/]path[?query][#fragment]
if (tmp.find("//") != 0) if (tmp.find("//") != 0)
throw invalid_argument("missing host separator: '//'"); throw invalid_argument("missing host separator: '//'");
tmp = tmp.substr(2); tmp = tmp.substr(2);
// tmp = [user:password@]host[:port][/]path[?query][#fragment]
pos = tmp.find('/'); pos = tmp.find('/');
if (pos == string::npos) if (pos == string::npos)
@ -76,13 +83,15 @@ void StreamUri::parse(const std::string& streamUri)
if (pos == string::npos) if (pos == string::npos)
pos = tmp.length(); pos = tmp.length();
} }
// [user:password@]host[:port][/]path[?query][#fragment]
// pos: ^ or ^ or ^
host = strutils::uriDecode(strutils::trim_copy(tmp.substr(0, pos))); host = strutils::uriDecode(strutils::trim_copy(tmp.substr(0, pos)));
tmp = tmp.substr(pos); tmp = tmp.substr(pos);
path = tmp; path = tmp;
pos = std::min(path.find('?'), path.find('#')); pos = std::min(path.find('?'), path.find('#'));
path = strutils::uriDecode(strutils::trim_copy(path.substr(0, pos))); path = strutils::uriDecode(strutils::trim_copy(path.substr(0, pos)));
LOG(TRACE) << "host: '" << host << "', tmp: '" << tmp << "', path: '" << path << "'\n"; LOG(TRACE, LOG_TAG) << "host: '" << host << "', tmp: '" << tmp << "', path: '" << path << "'\n";
string queryStr; string queryStr;
pos = tmp.find('?'); pos = tmp.find('?');
@ -90,7 +99,7 @@ void StreamUri::parse(const std::string& streamUri)
{ {
tmp = tmp.substr(pos + 1); tmp = tmp.substr(pos + 1);
queryStr = tmp; queryStr = tmp;
LOG(TRACE) << "path: '" << path << "', tmp: '" << tmp << "', query: '" << queryStr << "'\n"; LOG(TRACE, LOG_TAG) << "path: '" << path << "', tmp: '" << tmp << "', query: '" << queryStr << "'\n";
} }
pos = tmp.find('#'); pos = tmp.find('#');
@ -99,7 +108,7 @@ void StreamUri::parse(const std::string& streamUri)
queryStr = tmp.substr(0, pos); queryStr = tmp.substr(0, pos);
tmp = tmp.substr(pos + 1); tmp = tmp.substr(pos + 1);
fragment = strutils::uriDecode(strutils::trim_copy(tmp)); fragment = strutils::uriDecode(strutils::trim_copy(tmp));
LOG(TRACE) << "query: '" << queryStr << "', fragment: '" << fragment << "', tmp: '" << tmp << "'\n"; LOG(TRACE, LOG_TAG) << "query: '" << queryStr << "', fragment: '" << fragment << "', tmp: '" << tmp << "'\n";
} }
vector<string> keyValueList = strutils::split(queryStr, '&'); vector<string> keyValueList = strutils::split(queryStr, '&');
@ -113,15 +122,16 @@ void StreamUri::parse(const std::string& streamUri)
query[key] = value; query[key] = value;
} }
} }
LOG(DEBUG) << "StreamUri.toString: " << toString() << "\n"; LOG(DEBUG, LOG_TAG) << "StreamUri.toString: " << toString() << "\n";
} }
std::string StreamUri::toString() const std::string StreamUri::toString() const
{ {
// TODO: path must be properly be uri encoded
// scheme:[//[user:password@]host[:port]][/]path[?query][#fragment] // scheme:[//[user:password@]host[:port]][/]path[?query][#fragment]
stringstream ss; stringstream ss;
ss << scheme << "://" << host << "/" + path; ss << scheme << "://" << host << path;
if (!query.empty()) if (!query.empty())
{ {
ss << "?"; ss << "?";
@ -155,4 +165,10 @@ std::string StreamUri::getQuery(const std::string& key, const std::string& def)
return iter->second; return iter->second;
return def; return def;
} }
bool StreamUri::operator==(const StreamUri& other) const
{
return (other.scheme == scheme) && (other.host == host) && (other.path == path) && (other.query == query) && (other.fragment == fragment);
}
} // namespace streamreader } // namespace streamreader

45
server/streamreader/stream_uri.hpp
View file

@ -1,6 +1,6 @@
/*** /***
This file is part of snapcast This file is part of snapcast
Copyright (C) 2014-2020 Johannes Pohl Copyright (C) 2014-2025 Johannes Pohl
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -32,32 +32,49 @@ using json = nlohmann::json;
namespace streamreader namespace streamreader
{ {
// scheme:[//[user:password@]host[:port]][/]path[?query][#fragment] /// URI with the general format:
/// scheme:[//[user:password@]host[:port]][/]path[?query][#fragment]
struct StreamUri struct StreamUri
{ {
StreamUri(const std::string& uri); /// c'tor construct from string @p uri
explicit StreamUri(const std::string& uri);
/// the complete uri
std::string uri; std::string uri;
/// the scheme component (pipe, http, file, tcp, ...)
std::string scheme; std::string scheme;
/* struct Authority // struct Authority
{ // {
std::string username; // std::string username;
std::string password; // std::string password;
std::string host; // std::string host;
size_t port; // size_t port;
}; // };
Authority authority; // Authority authority;
*/
/// the host component
std::string host; std::string host;
/// the path component
std::string path; std::string path;
/// the query component: "key = value" pairs
std::map<std::string, std::string> query; std::map<std::string, std::string> query;
/// the fragment component
std::string fragment; std::string fragment;
std::string id() const; /// @return URI as json
json toJson() const; json toJson() const;
/// @return value for a @p key or @p def, if key does not exist
std::string getQuery(const std::string& key, const std::string& def = "") const; std::string getQuery(const std::string& key, const std::string& def = "") const;
void parse(const std::string& streamUri); /// parse @p stream_uri string
void parse(const std::string& stream_uri);
/// @return uri as string
std::string toString() const; std::string toString() const;
/// @return true if @p other is equal to this
bool operator==(const StreamUri& other) const;
}; };
} // namespace streamreader } // namespace streamreader

5
test/test_main.cpp
View file

@ -1,6 +1,6 @@
/*** /***
This file is part of snapcast This file is part of snapcast
Copyright (C) 2014-2024 Johannes Pohl Copyright (C) 2014-2025 Johannes Pohl
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -290,6 +290,9 @@ TEST_CASE("Uri")
REQUIRE(uri.query["devicename"] == "Snapcast"); REQUIRE(uri.query["devicename"] == "Snapcast");
REQUIRE(uri.query["bitrate"] == "320"); REQUIRE(uri.query["bitrate"] == "320");
REQUIRE(uri.query["killall"] == "false"); REQUIRE(uri.query["killall"] == "false");
REQUIRE(uri.toString().find("spotify:///librespot?") == 0);
StreamUri uri_from_str{uri.toString()};
// REQUIRE(uri == uri_from_str);
} }