Mirrors/audiobookshelf
Mirrors/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-04-20 01:17:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update:API endpoint /podcasts/feed validates rssFeed URL and uses SSRF req filter

Browse Source
This commit is contained in:
advplyr 2023-12-17 12:00:11 -06:00
parent dc67a52000
commit f2f2ea161c
3 changed files with 57 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
server/controllers/PodcastController.js
View File

@ -6,6 +6,7 @@ const fs = require('../libs/fsExtra')
const { getPodcastFeed, findMatchingEpisodes } = require('../utils/podcastUtils') const { getPodcastFeed, findMatchingEpisodes } = require('../utils/podcastUtils')
const { getFileTimestampsWithIno, filePathToPOSIX } = require('../utils/fileUtils') const { getFileTimestampsWithIno, filePathToPOSIX } = require('../utils/fileUtils')
const { validateUrl } = require('../utils/index')
const Scanner = require('../scanner/Scanner') const Scanner = require('../scanner/Scanner')
const CoverManager = require('../managers/CoverManager') const CoverManager = require('../managers/CoverManager')
@ -102,15 +103,24 @@ class PodcastController {
} }
} }
/**
* POST: /api/podcasts/feed
*
* @typedef getPodcastFeedReqBody
* @property {string} rssFeed
*
* @param {import('express').Request<{}, {}, getPodcastFeedReqBody, {}} req
* @param {import('express').Response} res
*/
async getPodcastFeed(req, res) { async getPodcastFeed(req, res) {
if (!req.user.isAdminOrUp) { if (!req.user.isAdminOrUp) {
Logger.error(`[PodcastController] Non-admin user "${req.user.username}" attempted to get podcast feed`) Logger.error(`[PodcastController] Non-admin user "${req.user.username}" attempted to get podcast feed`)
return res.sendStatus(403) return res.sendStatus(403)
} }
var url = req.body.rssFeed const url = validateUrl(req.body.rssFeed)
if (!url) { if (!url) {
return res.status(400).send('Bad request') return res.status(400).send('Invalid request body. "rssFeed" must be a valid URL')
} }
const podcast = await getPodcastFeed(url) const podcast = await getPodcastFeed(url)

28
server/utils/index.js
View File

@ -11,24 +11,24 @@ const levenshteinDistance = (str1, str2, caseSensitive = false) => {
str2 = str2.toLowerCase() str2 = str2.toLowerCase()
} }
const track = Array(str2.length + 1).fill(null).map(() => const track = Array(str2.length + 1).fill(null).map(() =>
Array(str1.length + 1).fill(null)); Array(str1.length + 1).fill(null))
for (let i = 0; i <= str1.length; i += 1) { for (let i = 0; i <= str1.length; i += 1) {
track[0][i] = i; track[0][i] = i
} }
for (let j = 0; j <= str2.length; j += 1) { for (let j = 0; j <= str2.length; j += 1) {
track[j][0] = j; track[j][0] = j
} }
for (let j = 1; j <= str2.length; j += 1) { for (let j = 1; j <= str2.length; j += 1) {
for (let i = 1; i <= str1.length; i += 1) { for (let i = 1; i <= str1.length; i += 1) {
const indicator = str1[i - 1] === str2[j - 1] ? 0 : 1; const indicator = str1[i - 1] === str2[j - 1] ? 0 : 1
track[j][i] = Math.min( track[j][i] = Math.min(
track[j][i - 1] + 1, // deletion track[j][i - 1] + 1, // deletion
track[j - 1][i] + 1, // insertion track[j - 1][i] + 1, // insertion
track[j - 1][i - 1] + indicator, // substitution track[j - 1][i - 1] + indicator, // substitution
); )
} }
} }
return track[str2.length][str1.length]; return track[str2.length][str1.length]
} }
module.exports.levenshteinDistance = levenshteinDistance module.exports.levenshteinDistance = levenshteinDistance
@ -204,4 +204,20 @@ module.exports.asciiOnlyToLowerCase = (str) => {
module.exports.escapeRegExp = (str) => { module.exports.escapeRegExp = (str) => {
if (typeof str !== 'string') return '' if (typeof str !== 'string') return ''
return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
}
/**
* Validate url string with URL class
*
* @param {string} rawUrl
* @returns {string} null if invalid
*/
module.exports.validateUrl = (rawUrl) => {
if (!rawUrl || typeof rawUrl !== 'string') return null
try {
return new URL(rawUrl).toString()
} catch (error) {
Logger.error(`Invalid URL "${rawUrl}"`, error)
return null
}
} }

28
server/utils/podcastUtils.js
View File

@ -1,5 +1,6 @@
const Logger = require('../Logger')
const axios = require('axios') const axios = require('axios')
const ssrfFilter = require('ssrf-req-filter')
const Logger = require('../Logger')
const { xmlToJSON, levenshteinDistance } = require('./index') const { xmlToJSON, levenshteinDistance } = require('./index')
const htmlSanitizer = require('../utils/htmlSanitizer') const htmlSanitizer = require('../utils/htmlSanitizer')
@ -216,9 +217,26 @@ module.exports.parsePodcastRssFeedXml = async (xml, excludeEpisodeMetadata = fal
} }
} }
/**
* Get podcast RSS feed as JSON
* Uses SSRF filter to prevent internal URLs
*
* @param {string} feedUrl
* @param {boolean} [excludeEpisodeMetadata=false]
* @returns {Promise}
*/
module.exports.getPodcastFeed = (feedUrl, excludeEpisodeMetadata = false) => { module.exports.getPodcastFeed = (feedUrl, excludeEpisodeMetadata = false) => {
Logger.debug(`[podcastUtils] getPodcastFeed for "${feedUrl}"`) Logger.debug(`[podcastUtils] getPodcastFeed for "${feedUrl}"`)
return axios.get(feedUrl, { timeout: 12000, responseType: 'arraybuffer', headers: { Accept: 'application/rss+xml' } }).then(async (data) => {
return axios({
url: feedUrl,
method: 'GET',
timeout: 12000,
responseType: 'arraybuffer',
headers: { Accept: 'application/rss+xml' },
httpAgent: ssrfFilter(feedUrl),
httpsAgent: ssrfFilter(feedUrl)
}).then(async (data) => {
// Adding support for ios-8859-1 encoded RSS feeds. // Adding support for ios-8859-1 encoded RSS feeds.
// See: https://github.com/advplyr/audiobookshelf/issues/1489 // See: https://github.com/advplyr/audiobookshelf/issues/1489
@ -231,12 +249,12 @@ module.exports.getPodcastFeed = (feedUrl, excludeEpisodeMetadata = false) => {
if (!data?.data) { if (!data?.data) {
Logger.error(`[podcastUtils] getPodcastFeed: Invalid podcast feed request response (${feedUrl})`) Logger.error(`[podcastUtils] getPodcastFeed: Invalid podcast feed request response (${feedUrl})`)
return false return null
} }
Logger.debug(`[podcastUtils] getPodcastFeed for "${feedUrl}" success - parsing xml`) Logger.debug(`[podcastUtils] getPodcastFeed for "${feedUrl}" success - parsing xml`)
const payload = await this.parsePodcastRssFeedXml(data.data, excludeEpisodeMetadata) const payload = await this.parsePodcastRssFeedXml(data.data, excludeEpisodeMetadata)
if (!payload) { if (!payload) {
return false return null
} }
// RSS feed may be a private RSS feed // RSS feed may be a private RSS feed
@ -245,7 +263,7 @@ module.exports.getPodcastFeed = (feedUrl, excludeEpisodeMetadata = false) => {
return payload.podcast return payload.podcast
}).catch((error) => { }).catch((error) => {
Logger.error('[podcastUtils] getPodcastFeed Error', error) Logger.error('[podcastUtils] getPodcastFeed Error', error)
return false return null
}) })
} }