genuineparts/alltube
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Prevent SSRF requests

Browse source 
By validating the provided URL before passing it to youtube-dl
This commit is contained in:
Pierre Rudloff 2022-02-27 10:54:56 +01:00
parent 2afbfb4bf2
commit 3a4f09dda0
7 changed files with 814 additions and 161 deletions
Download patch file Download diff file Expand all files Collapse all files

21
classes/Controller/BaseController.php
View file

@ -11,6 +11,9 @@ use Alltube\Library\Downloader;
use Alltube\Library\Video;
use Alltube\LocaleManager;
use Aura\Session\Segment;
use Graby\HttpClient\Plugin\ServerSideRequestForgeryProtection\Exception\InvalidURLException;
use Graby\HttpClient\Plugin\ServerSideRequestForgeryProtection\Options;
use Graby\HttpClient\Plugin\ServerSideRequestForgeryProtection\Url;
use Psr\Container\ContainerInterface;
use Psr\Log\LoggerInterface;
use Slim\Http\Request;
@ -127,10 +130,11 @@ abstract class BaseController
* @param Request $request PSR-7 request
*
* @return string|null Password
* @throws InvalidURLException
*/
protected function getPassword(Request $request): ?string
{
$url = $request->getQueryParam('url');
$url = $this->getVideoPageUrl($request);
$password = $request->getParam('password');
if (isset($password)) {
@ -157,4 +161,19 @@ abstract class BaseController
return $controller->displayError($request, $response, $message);
}
/**
* @param Request $request
* @return string
* @throws InvalidURLException
*/
protected function getVideoPageUrl(Request $request): string
{
$url = $request->getQueryParam('url') ?: $request->getQueryParam('v');
// Prevent SSRF attacks.
$parts = Url::validateUrl($url, new Options());
return $parts['url'];
}
}