Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add back restricted Stream.AddStream functionality #1331

Merged
merged 8 commits into from
Jan 19, 2025
Merged

Add back restricted Stream.AddStream functionality #1331

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
3d5f881
Allow back Stream.AddStream but don't allow a process stream type
OpenJeDi Jan 19, 2025
aef7dd2
Don't allow controlscript parameters when creating streams through RPC
OpenJeDi Jan 19, 2025
f012954
Added back documentation for Straem.AddStream and Stream.removeStream
OpenJeDi Jan 19, 2025
38bda59
Merge branch 'badaix:develop' into rpc-add-restricted-addstream
OpenJeDi Jan 19, 2025
18b16ed
Fixed checking controlscript parameter
OpenJeDi Jan 19, 2025
f3df476
Small doc update to clarify things
OpenJeDi Jan 19, 2025
484bffd
Fixed missing doc delimiter
OpenJeDi Jan 19, 2025
6eaddc0
Removed unused checkParamsNotAllowed method
OpenJeDi Jan 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions doc/json_rpc_api/control.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,8 @@ The Server JSON object contains a list of Groups and Streams. Every Group holds
* Stream
* [Stream.Control](#streamcontrol)
* [Stream.SetProperty](#streamsetproperty)
* [Stream.AddStream](#streamaddstream)
* [Stream.RemoveStream](#streamremovestream)

### Notifications

Expand Down Expand Up @@ -480,6 +482,38 @@ See [Plugin.Stream.Player.SetProperty](stream_plugin.md#pluginstreamplayersetpro
{"id": 1, "jsonrpc": "2.0", "result": "ok"}
```

### Stream.AddStream

Note: for security purposes, we don't allow adding `process` streams.
We also don't allow setting the `controlscript` query parameter of streamUri.

#### Request

```json
{"id":8,"jsonrpc":"2.0","method":"Stream.AddStream","params":{"streamUri":"pipe:///tmp/snapfifo?name=stream 2"}}
```

#### Response

```json
{"id":8,"jsonrpc":"2.0","result":{"stream_id":"stream 2"}}
```

### Stream.RemoveStream

#### Request

```json
{"id":8,"jsonrpc":"2.0","method":"Stream.RemoveStream","params":{"id":"stream 2"}}
```

#### Response

```json
{"id":8,"jsonrpc":"2.0","result":{"stream_id":"stream 2"}}
```


##### Error

```json
Expand Down
13 changes: 10 additions & 3 deletions server/control_requests.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,10 +99,8 @@ ControlRequestFactory::ControlRequestFactory(const Server& server)
// Stream requests
add_request(std::make_shared<StreamControlRequest>(server));
add_request(std::make_shared<StreamSetPropertyRequest>(server));
#if 0 // Removed to fix CVE-2023-36177
add_request(std::make_shared<StreamAddRequest>(server));
add_request(std::make_shared<StreamRemoveRequest>(server));
#endif

// Server requests
add_request(std::make_shared<ServerGetRpcVersionRequest>(server));
Expand Down Expand Up @@ -692,11 +690,20 @@ void StreamAddRequest::execute(const jsonrpcpp::request_ptr& request, AuthInfo&

checkParams(request, {"streamUri"});

// Don't allow adding a process stream: CVE-2023-36177
const std::string streamUri = request->params().get("streamUri");
const StreamUri parsedUri(streamUri);
if(parsedUri.scheme == "process")
throw jsonrpcpp::InvalidParamsException("Adding process streams is not allowed", request->id());

// Don't allow settings the controlscript streamUri property
if (!parsedUri.getQuery("controlscript").empty())
throw jsonrpcpp::InvalidParamsException("No controlscript streamUri property allowed", request->id());

std::ignore = authinfo;
LOG(INFO, LOG_TAG) << "Stream.AddStream(" << request->params().get("streamUri") << ")\n";

// Add stream
std::string streamUri = request->params().get("streamUri");
PcmStreamPtr stream = getStreamManager().addStream(streamUri);
if (stream == nullptr)
throw jsonrpcpp::InternalErrorException("Stream not created", request->id());
Expand Down
Loading