WildDragonLLC/dragonflight
1
0
Fork 0
Code Issues 18 Pull requests 3 Projects Releases Packages Wiki Activity Actions

SSRF: POST /recorders/probe accepts arbitrary URLs and probes raw TCP/UDP on internal network #104

New issue
Closed
opened 2026-05-26 18:18:38 -04:00 by zgaetano · 2 comments
zgaetano commented 2026-05-26 18:18:38 -04:00
Owner
Copy link

Fixed in 04ce096. POST /recorders/probe now:

  • Restricts URL schemes to srt, rtmp, rtmps, rtsp, udp, rtp.
  • Rejects private / loopback / link-local / RFC1918 / AWS-metadata hosts for non-admin users.
  • Blocks common service ports (22, 25, 53, 80, 443, 5432, 6379, 9000, 9100, 9229) for non-admins.
  • Validates the URL before forwarding to the capture service so even the proxy path can't be abused.
Fixed in 04ce096. `POST /recorders/probe` now: - Restricts URL schemes to `srt`, `rtmp`, `rtmps`, `rtsp`, `udp`, `rtp`. - Rejects private / loopback / link-local / RFC1918 / AWS-metadata hosts for non-admin users. - Blocks common service ports (22, 25, 53, 80, 443, 5432, 6379, 9000, 9100, 9229) for non-admins. - Validates the URL before forwarding to the capture service so even the proxy path can't be abused.
zgaetano commented 2026-05-26 19:28:59 -04:00
Author
Owner
Copy link

🔧 Fix plan incoming — token verified, posting all plans now...

🔧 Fix plan incoming — token verified, posting all plans now...
zgaetano commented 2026-05-26 19:30:07 -04:00
Author
Owner
Copy link

Fix Plan — #104 SSRF via POST /recorders/probe

Root cause: recorders.js:698-744 forwards user-supplied URL to capture sidecar, falls back to raw net.connect/dgram against any host/port. No hostname validation.

Fix (3 steps):

  1. Allow-list protocols at top of handler:
const ALLOWED = new Set(["srt:", "rtmp:", "rtsp:"]);
if (!ALLOWED.has(parsedUrl.protocol))
  return res.status(400).json({ error: "Protocol not allowed" });
  1. Block internal addresses — reject RFC1918, link-local, loopback, cloud metadata:
const BLOCKED = ["10.","172.16.","192.168.","127.","169.254.","fd","::1","fe80:","100.64."];
if (BLOCKED.some(r => hostname.startsWith(r)))
  return res.status(403).json({ error: "Internal addresses blocked" });
  1. Strict body validationnew URL(), reject non-string/missing fields.

Files: src/routes/recorders.js:698-744
Effort: ~2h
**Priority: P0 — security

## Fix Plan — #104 SSRF via POST /recorders/probe **Root cause:** `recorders.js:698-744` forwards user-supplied URL to capture sidecar, falls back to raw `net.connect`/`dgram` against any host/port. No hostname validation. **Fix (3 steps):** 1. **Allow-list protocols** at top of handler: ```js const ALLOWED = new Set(["srt:", "rtmp:", "rtsp:"]); if (!ALLOWED.has(parsedUrl.protocol)) return res.status(400).json({ error: "Protocol not allowed" }); ``` 2. **Block internal addresses** — reject RFC1918, link-local, loopback, cloud metadata: ```js const BLOCKED = ["10.","172.16.","192.168.","127.","169.254.","fd","::1","fe80:","100.64."]; if (BLOCKED.some(r => hostname.startsWith(r))) return res.status(403).json({ error: "Internal addresses blocked" }); ``` 3. **Strict body validation** — `new URL()`, reject non-string/missing fields. **Files:** `src/routes/recorders.js:698-744` **Effort:** ~2h **Priority: P0 — security
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feat/playout-mcr
feat/user-permissions
feat/recorder-codec-bitrate
feat/hls-vod-playback
feat/uxp-plugin-swap
feat/nvenc-hevc-ingest
feat/all-intra-hevc-ingest
redesign/panel-icon-rail
feat/premiere-installer
feat/youtube-importer
fix/library-and-signal-indicator
fix/srt-rtmp-thumbnail
v0.phase1-editor
Labels
Clear labels   
bug

Bug report

  
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: WildDragonLLC/dragonflight#104
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?