Mirrors/audiobookshelf
Mirrors/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-01-03 00:06:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update:Support for ENV variables to disable SSRF request filter (DISABLE_SSRF_REQUEST_FILTER=1) #2549

Browse Source
This commit is contained in:
advplyr 2024-06-03 17:21:18 -05:00
parent 2b5c7fb519
commit 9c33446449
3 changed files with 167 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
server/Server.js
View File

@ -51,6 +51,7 @@ class Server {
global.RouterBasePath = ROUTER_BASE_PATH global.RouterBasePath = ROUTER_BASE_PATH
global.XAccel = process.env.USE_X_ACCEL global.XAccel = process.env.USE_X_ACCEL
global.AllowCors = process.env.ALLOW_CORS === '1' global.AllowCors = process.env.ALLOW_CORS === '1'
global.DisableSsrfRequestFilter = process.env.DISABLE_SSRF_REQUEST_FILTER === '1'
if (!fs.pathExistsSync(global.ConfigPath)) { if (!fs.pathExistsSync(global.ConfigPath)) {
fs.mkdirSync(global.ConfigPath) fs.mkdirSync(global.ConfigPath)

56
server/utils/fileUtils.js
View File

@ -7,7 +7,6 @@ const rra = require('../libs/recursiveReaddirAsync')
const Logger = require('../Logger') const Logger = require('../Logger')
const { AudioMimeType } = require('./constants') const { AudioMimeType } = require('./constants')
/** /**
* Make sure folder separator is POSIX for Windows file paths. e.g. "C:\Users\Abs" becomes "C:/Users/Abs" * Make sure folder separator is POSIX for Windows file paths. e.g. "C:\Users\Abs" becomes "C:/Users/Abs"
* *
@ -33,8 +32,8 @@ function isSameOrSubPath(parentPath, childPath) {
if (parentPath === childPath) return true if (parentPath === childPath) return true
const relativePath = Path.relative(parentPath, childPath) const relativePath = Path.relative(parentPath, childPath)
return ( return (
relativePath === '' // Same path (e.g. parentPath = '/a/b/', childPath = '/a/b') relativePath === '' || // Same path (e.g. parentPath = '/a/b/', childPath = '/a/b')
|| !relativePath.startsWith('..') && !Path.isAbsolute(relativePath) // Sub path (!relativePath.startsWith('..') && !Path.isAbsolute(relativePath)) // Sub path
) )
} }
module.exports.isSameOrSubPath = isSameOrSubPath module.exports.isSameOrSubPath = isSameOrSubPath
@ -106,7 +105,10 @@ async function checkPathIsFile(filepath) {
module.exports.checkPathIsFile = checkPathIsFile module.exports.checkPathIsFile = checkPathIsFile
function getIno(path) { function getIno(path) {
return fs.stat(path, { bigint: true }).then((data => String(data.ino))).catch((err) => { return fs
.stat(path, { bigint: true })
.then((data) => String(data.ino))
.catch((err) => {
Logger.error('[Utils] Failed to get ino for path', path, err) Logger.error('[Utils] Failed to get ino for path', path, err)
return null return null
}) })
@ -177,7 +179,8 @@ async function recurseFiles(path, relPathToReplace = null) {
const directoriesToIgnore = [] const directoriesToIgnore = []
list = list.filter((item) => { list = list
.filter((item) => {
if (item.error) { if (item.error) {
Logger.error(`[fileUtils] Recurse files file "${item.fullname}" has error`, item.error) Logger.error(`[fileUtils] Recurse files file "${item.fullname}" has error`, item.error)
return false return false
@ -201,21 +204,23 @@ async function recurseFiles(path, relPathToReplace = null) {
} }
// Ignore any file if a directory or the filename starts with "." // Ignore any file if a directory or the filename starts with "."
if (relpath.split('/').find(p => p.startsWith('.'))) { if (relpath.split('/').find((p) => p.startsWith('.'))) {
Logger.debug(`[fileUtils] Ignoring path has . "${relpath}"`) Logger.debug(`[fileUtils] Ignoring path has . "${relpath}"`)
return false return false
} }
return true return true
}).filter(item => { })
.filter((item) => {
// Filter out items in ignore directories // Filter out items in ignore directories
if (directoriesToIgnore.some(dir => item.fullname.startsWith(dir))) { if (directoriesToIgnore.some((dir) => item.fullname.startsWith(dir))) {
Logger.debug(`[fileUtils] Ignoring path in dir with .ignore "${item.fullname}"`) Logger.debug(`[fileUtils] Ignoring path in dir with .ignore "${item.fullname}"`)
return false return false
} }
return true return true
}).map((item) => { })
var isInRoot = (item.path + '/' === relPathToReplace) .map((item) => {
var isInRoot = item.path + '/' === relPathToReplace
return { return {
name: item.name, name: item.name,
path: item.fullname.replace(relPathToReplace, ''), path: item.fullname.replace(relPathToReplace, ''),
@ -251,9 +256,10 @@ module.exports.downloadFile = (url, filepath, contentTypeFilter = null) => {
method: 'GET', method: 'GET',
responseType: 'stream', responseType: 'stream',
timeout: 30000, timeout: 30000,
httpAgent: ssrfFilter(url), httpAgent: global.DisableSsrfRequestFilter ? null : ssrfFilter(feedUrl),
httpsAgent: ssrfFilter(url) httpsAgent: global.DisableSsrfRequestFilter ? null : ssrfFilter(feedUrl)
}).then((response) => { })
.then((response) => {
// Validate content type // Validate content type
if (contentTypeFilter && !contentTypeFilter?.(response.headers?.['content-type'])) { if (contentTypeFilter && !contentTypeFilter?.(response.headers?.['content-type'])) {
return reject(new Error(`Invalid content type "${response.headers?.['content-type'] || ''}"`)) return reject(new Error(`Invalid content type "${response.headers?.['content-type'] || ''}"`))
@ -265,7 +271,8 @@ module.exports.downloadFile = (url, filepath, contentTypeFilter = null) => {
writer.on('finish', resolve) writer.on('finish', resolve)
writer.on('error', reject) writer.on('error', reject)
}).catch((err) => { })
.catch((err) => {
Logger.error(`[fileUtils] Failed to download file "${filepath}"`, err) Logger.error(`[fileUtils] Failed to download file "${filepath}"`, err)
reject(err) reject(err)
}) })
@ -350,14 +357,17 @@ module.exports.getAudioMimeTypeFromExtname = (extname) => {
module.exports.removeFile = (path) => { module.exports.removeFile = (path) => {
if (!path) return false if (!path) return false
return fs.remove(path).then(() => true).catch((error) => { return fs
.remove(path)
.then(() => true)
.catch((error) => {
Logger.error(`[fileUtils] Failed remove file "${path}"`, error) Logger.error(`[fileUtils] Failed remove file "${path}"`, error)
return false return false
}) })
} }
module.exports.encodeUriPath = (path) => { module.exports.encodeUriPath = (path) => {
const uri = new URL('/', "file://") const uri = new URL('/', 'file://')
// we assign the path here to assure that URL control characters like # are // we assign the path here to assure that URL control characters like # are
// actually interpreted as part of the URL path // actually interpreted as part of the URL path
uri.pathname = path uri.pathname = path
@ -398,7 +408,11 @@ module.exports.getWindowsDrives = async () => {
reject(error) reject(error)
return return
} }
let drives = stdout?.split(/\r?\n/).map(line => line.trim()).filter(line => line).slice(1) let drives = stdout
?.split(/\r?\n/)
.map((line) => line.trim())
.filter((line) => line)
.slice(1)
const validDrives = [] const validDrives = []
for (const drive of drives) { for (const drive of drives) {
let drivepath = drive + '/' let drivepath = drive + '/'
@ -423,7 +437,8 @@ module.exports.getWindowsDrives = async () => {
module.exports.getDirectoriesInPath = async (dirPath, level) => { module.exports.getDirectoriesInPath = async (dirPath, level) => {
try { try {
const paths = await fs.readdir(dirPath) const paths = await fs.readdir(dirPath)
let dirs = await Promise.all(paths.map(async dirname => { let dirs = await Promise.all(
paths.map(async (dirname) => {
const fullPath = Path.join(dirPath, dirname) const fullPath = Path.join(dirPath, dirname)
const lstat = await fs.lstat(fullPath).catch((error) => { const lstat = await fs.lstat(fullPath).catch((error) => {
@ -437,8 +452,9 @@ module.exports.getDirectoriesInPath = async (dirPath, level) => {
dirname, dirname,
level level
} }
})) })
dirs = dirs.filter(d => d) )
dirs = dirs.filter((d) => d)
return dirs return dirs
} catch (error) { } catch (error) {
Logger.error('Failed to readdir', dirPath, error) Logger.error('Failed to readdir', dirPath, error)

13
server/utils/podcastUtils.js
View File

@ -234,10 +234,10 @@ module.exports.getPodcastFeed = (feedUrl, excludeEpisodeMetadata = false) => {
timeout: 12000, timeout: 12000,
responseType: 'arraybuffer', responseType: 'arraybuffer',
headers: { Accept: 'application/rss+xml, application/xhtml+xml, application/xml, */*;q=0.8' }, headers: { Accept: 'application/rss+xml, application/xhtml+xml, application/xml, */*;q=0.8' },
httpAgent: ssrfFilter(feedUrl), httpAgent: global.DisableSsrfRequestFilter ? null : ssrfFilter(feedUrl),
httpsAgent: ssrfFilter(feedUrl) httpsAgent: global.DisableSsrfRequestFilter ? null : ssrfFilter(feedUrl)
}).then(async (data) => { })
.then(async (data) => {
// Adding support for ios-8859-1 encoded RSS feeds. // Adding support for ios-8859-1 encoded RSS feeds.
// See: https://github.com/advplyr/audiobookshelf/issues/1489 // See: https://github.com/advplyr/audiobookshelf/issues/1489
const contentType = data.headers?.['content-type'] || '' // e.g. text/xml; charset=iso-8859-1 const contentType = data.headers?.['content-type'] || '' // e.g. text/xml; charset=iso-8859-1
@ -261,7 +261,8 @@ module.exports.getPodcastFeed = (feedUrl, excludeEpisodeMetadata = false) => {
payload.podcast.metadata.feedUrl = feedUrl payload.podcast.metadata.feedUrl = feedUrl
return payload.podcast return payload.podcast
}).catch((error) => { })
.catch((error) => {
Logger.error('[podcastUtils] getPodcastFeed Error', error) Logger.error('[podcastUtils] getPodcastFeed Error', error)
return null return null
}) })
@ -283,7 +284,7 @@ module.exports.findMatchingEpisodesInFeed = (feed, searchTitle) => {
} }
const matches = [] const matches = []
feed.episodes.forEach(ep => { feed.episodes.forEach((ep) => {
if (!ep.title) return if (!ep.title) return
const epTitle = ep.title.toLowerCase().trim() const epTitle = ep.title.toLowerCase().trim()