3pp-mirror/snapcast
1
0
Fork 0
mirror of https://github.com/badaix/snapcast.git synced 2025-04-28 09:47:09 +02:00
Code Issues Projects Releases Packages Wiki Activity

Add white list for "Stream.AddStream"

Browse source
This commit is contained in:
badaix 2025-01-20 12:29:51 +01:00
parent ceb108b338
commit be266c07ce
3 changed files with 13 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
changelog.md
View file

@ -4,7 +4,8 @@
### Features
- Server: Add secure RPC methods `AddStream` and `RemoveStream` (PR #1331, Issue #1330)
- Server: Add secure RPC method `Stream.AddStream` (PR #1331, Issue #1330)
- Server: Re-add RPC method `RemoveStream` (Issue #1330)
### Bugfixes

5
doc/json_rpc_api/control.md
View file

@ -484,8 +484,8 @@ See [Plugin.Stream.Player.SetProperty](stream_plugin.md#pluginstreamplayersetpro
### Stream.AddStream
Note: for security purposes, we don't allow adding `process` streams.
We also don't allow setting the `controlscript` query parameter of streamUri.
Note: For security purposes, the RPC interface allows only adding streams of these types: `pipe`, `file`, `tcp`, `alsa`, `jack` and `meta`.
It is also not allowed to set the `controlscript` query parameter of `streamUri`.
#### Request
@ -513,7 +513,6 @@ We also don't allow setting the `controlscript` query parameter of streamUri.
{"id":8,"jsonrpc":"2.0","result":{"stream_id":"stream 2"}}
```
##### Error
```json

16
server/control_requests.cpp
View file

@ -690,21 +690,23 @@ void StreamAddRequest::execute(const jsonrpcpp::request_ptr& request, AuthInfo&
checkParams(request, {"streamUri"});
// Don't allow adding a process stream: CVE-2023-36177
const std::string streamUri = request->params().get("streamUri");
const StreamUri parsedUri(streamUri);
if (parsedUri.scheme == "process")
throw jsonrpcpp::InvalidParamsException("Adding process streams is not allowed", request->id());
// Don't allow adding streams that start a user defined process: CVE-2023-36177
static constexpr std::array whitelist{"pipe", "file", "tcp", "alsa", "jack", "meta"};
const std::string stream_uri = request->params().get("streamUri");
const StreamUri parsedUri(stream_uri);
if (std::find(whitelist.begin(), whitelist.end(), parsedUri.scheme) == whitelist.end())
throw jsonrpcpp::InvalidParamsException("Adding '" + parsedUri.scheme + "' streams is not allowed", request->id());
// Don't allow settings the controlscript streamUri property
if (!parsedUri.getQuery("controlscript").empty())
throw jsonrpcpp::InvalidParamsException("No controlscript streamUri property allowed", request->id());
throw jsonrpcpp::InvalidParamsException("No 'controlscript' streamUri property allowed", request->id());
std::ignore = authinfo;
LOG(INFO, LOG_TAG) << "Stream.AddStream(" << request->params().get("streamUri") << ")\n";
// Add stream
PcmStreamPtr stream = getStreamManager().addStream(streamUri);
PcmStreamPtr stream = getStreamManager().addStream(stream_uri);
if (stream == nullptr)
throw jsonrpcpp::InternalErrorException("Stream not created", request->id());
stream->start(); // We start the stream, otherwise it would be silent