prevent RCEs with crafted video files urls

Update Dockerfile
refactor: prevent multiple slashes
2025-07-23 10:16:40 +02:00 · 2025-04-13 20:13:59 +02:00 · 2025-03-30 10:29:13 +02:00 · 2025-03-30 10:21:19 +02:00 · 2025-03-30 10:17:30 +02:00 · 2025-03-30 09:54:27 +02:00
8 changed files with 77 additions and 35 deletions
--- a/9
+++ b/9
@@ -24,11 +24,12 @@ COPY --from=ui /usr/src/yt-dlp-webui/frontend /usr/src/yt-dlp-webui/frontend
 RUN CGO_ENABLED=0 GOOS=linux go build -o yt-dlp-webui
 # -----------------------------------------------------------------------------

-# dependencies ----------------------------------------------------------------
-FROM alpine:edge
+# Runtime ---------------------------------------------------------------------
+FROM python:3.13.2-alpine3.21

 RUN apk update && \
-apk add ffmpeg yt-dlp ca-certificates curl wget psmisc
+apk add ffmpeg ca-certificates curl wget gnutls --no-cache && \
+pip install "yt-dlp[default,curl-cffi,mutagen,pycryptodomex,phantomjs,secretstorage]"

 VOLUME /downloads /config

@@ -39,4 +40,4 @@ COPY --from=build /usr/src/yt-dlp-webui/yt-dlp-webui /app
 ENV JWT_SECRET=secret

 EXPOSE 3033
-ENTRYPOINT [ "./yt-dlp-webui" , "--out", "/downloads", "--conf", "/config/config.yml", "--db", "/config/local.db" ]
+ENTRYPOINT [ "./yt-dlp-webui" , "--out", "/downloads", "--conf", "/config/config.yml", "--db", "/config/local.db" ]
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ docker pull ghcr.io/marcopiovanello/yt-dlp-web-ui:latest
 ## Community stuff
 Feel free to join :)

-[![Discord Banner](https://api.weblutions.com/discord/invite/3Sj9ZZHv/)](https://discord.gg/WRnVWr4y)
+[Discord](https://discord.gg/GZAX5FfGzE)

 ## Some screeshots
 ![image](https://github.com/user-attachments/assets/fc43a3fb-ecf9-449d-b5cb-5d5635020c00)
--- a/frontend/src/atoms/settings.ts
+++ b/frontend/src/atoms/settings.ts
@@ -121,14 +121,18 @@ export const appTitleState = atomWithStorage(
 export const serverAddressAndPortState = atom((get) => {
  if (get(servedFromReverseProxySubDirState)) {
    return `${get(serverAddressState)}/${get(servedFromReverseProxySubDirState)}/`
-      .replaceAll('"', '') // TODO: atomWithStorage put extra double quotes on strings
+      .replaceAll('"', '')    // XXX: atomWithStorage uses JSON.stringify to serialize
+      .replaceAll('//', '/')  // which puts extra double quotes.
  }
  if (get(servedFromReverseProxyState)) {
    return `${get(serverAddressState)}`
      .replaceAll('"', '')
  }
-  return `${get(serverAddressState)}:${get(serverPortState)}`
+
+  const sap = `${get(serverAddressState)}:${get(serverPortState)}`
    .replaceAll('"', '')
+
+  return sap.endsWith('/') ? sap.slice(0, -1) : sap
 })

 export const serverURL = atom((get) =>
@@ -137,12 +141,16 @@ export const serverURL = atom((get) =>

 export const rpcWebSocketEndpoint = atom((get) => {
  const proto = window.location.protocol === 'https:' ? 'wss:' : 'ws:'
-  return `${proto}//${get(serverAddressAndPortState)}/rpc/ws`
+  const sap = get(serverAddressAndPortState)
+
+  return `${proto}//${sap.endsWith('/') ? sap.slice(0, -1) : sap}/rpc/ws`
 })

 export const rpcHTTPEndpoint = atom((get) => {
  const proto = window.location.protocol
-  return `${proto}//${get(serverAddressAndPortState)}/rpc/http`
+  const sap = get(serverAddressAndPortState)
+
+  return `${proto}//${sap.endsWith('/') ? sap.slice(0, -1) : sap}/rpc/http`
 })

 export const serverSideCookiesState = atom<Promise<string>>(async (get) => await pipe(
--- a/frontend/src/components/HomeSpeedDial.tsx
+++ b/frontend/src/components/HomeSpeedDial.tsx
@@ -32,6 +32,7 @@ const HomeSpeedDial: React.FC<Props> = ({ onDownloadOpen, onEditorOpen }) => {
      ariaLabel="Home speed dial"
      sx={{ position: 'absolute', bottom: 64, right: 24 }}
      icon={<SpeedDialIcon />}
+      onClick={onDownloadOpen}
    >
      <SpeedDialAction
        icon={listView ? <ViewAgendaIcon /> : <FormatListBulleted />}
--- a/frontend/src/lib/httpClient.ts
+++ b/frontend/src/lib/httpClient.ts
@@ -1,6 +1,9 @@
 import { tryCatch } from 'fp-ts/TaskEither'
+import * as J from 'fp-ts/Json'
+import * as E from 'fp-ts/Either'
+import { pipe } from 'fp-ts/lib/function'

-async function fetcher<T>(url: string, opt?: RequestInit): Promise<T> {
+async function fetcher(url: string, opt?: RequestInit, controller?: AbortController): Promise<string> {
  const jwt = localStorage.getItem('token')

  if (opt && !opt.headers) {
@@ -14,17 +17,27 @@ async function fetcher<T>(url: string, opt?: RequestInit): Promise<T> {
    headers: {
      ...opt?.headers,
      'X-Authentication': jwt ?? ''
-    }
+    },
+    signal: controller?.signal
  })

  if (!res.ok) {
    throw await res.text()
  }

-  return res.json() as T
+
+
+  return res.text()
 }

-export const ffetch = <T>(url: string, opt?: RequestInit) => tryCatch(
-  () => fetcher<T>(url, opt),
+export const ffetch = <T>(url: string, opt?: RequestInit, controller?: AbortController) => tryCatch(
+  async () => pipe(
+    await fetcher(url, opt, controller),
+    J.parse,
+    E.match(
+      (l) => l as T,
+      (r) => r as T
+    )
+  ),
  (e) => `error while fetching: ${e}`
 )
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -9,27 +9,28 @@ import (
 )

 type Config struct {
-	LogPath            string `yaml:"log_path"`
-	EnableFileLogging  bool   `yaml:"enable_file_logging"`
-	BaseURL            string `yaml:"base_url"`
-	Host               string `yaml:"host"`
-	Port               int    `yaml:"port"`
-	DownloadPath       string `yaml:"downloadPath"`
-	DownloaderPath     string `yaml:"downloaderPath"`
-	RequireAuth        bool   `yaml:"require_auth"`
-	Username           string `yaml:"username"`
-	Password           string `yaml:"password"`
-	QueueSize          int    `yaml:"queue_size"`
-	LocalDatabasePath  string `yaml:"local_database_path"`
-	SessionFilePath    string `yaml:"session_file_path"`
-	path               string // private
-	UseOpenId          bool   `yaml:"use_openid"`
-	OpenIdProviderURL  string `yaml:"openid_provider_url"`
-	OpenIdClientId     string `yaml:"openid_client_id"`
-	OpenIdClientSecret string `yaml:"openid_client_secret"`
-	OpenIdRedirectURL  string `yaml:"openid_redirect_url"`
-	FrontendPath       string `yaml:"frontend_path"`
-	AutoArchive        bool   `yaml:"auto_archive"`
+	LogPath              string   `yaml:"log_path"`
+	EnableFileLogging    bool     `yaml:"enable_file_logging"`
+	BaseURL              string   `yaml:"base_url"`
+	Host                 string   `yaml:"host"`
+	Port                 int      `yaml:"port"`
+	DownloadPath         string   `yaml:"downloadPath"`
+	DownloaderPath       string   `yaml:"downloaderPath"`
+	RequireAuth          bool     `yaml:"require_auth"`
+	Username             string   `yaml:"username"`
+	Password             string   `yaml:"password"`
+	QueueSize            int      `yaml:"queue_size"`
+	LocalDatabasePath    string   `yaml:"local_database_path"`
+	SessionFilePath      string   `yaml:"session_file_path"`
+	path                 string   // private
+	UseOpenId            bool     `yaml:"use_openid"`
+	OpenIdProviderURL    string   `yaml:"openid_provider_url"`
+	OpenIdClientId       string   `yaml:"openid_client_id"`
+	OpenIdClientSecret   string   `yaml:"openid_client_secret"`
+	OpenIdRedirectURL    string   `yaml:"openid_redirect_url"`
+	OpenIdEmailWhitelist []string `yaml:"openid_email_whitelist"`
+	FrontendPath         string   `yaml:"frontend_path"`
+	AutoArchive          bool     `yaml:"auto_archive"`
 }

 var (
--- a/server/internal/process.go
+++ b/server/internal/process.go
@@ -93,6 +93,7 @@ func (p *Process) Start() {

 	baseParams := []string{
 		strings.Split(p.Url, "?list")[0], //no playlist
+		"--no-exec",
 		"--newline",
 		"--no-colors",
 		"--no-playlist",
--- a/server/openid/handler.go
+++ b/server/openid/handler.go
@@ -6,10 +6,12 @@ import (
 	"encoding/json"
 	"errors"
 	"net/http"
+	"slices"
 	"time"

 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/google/uuid"
+	"github.com/marcopiovanello/yt-dlp-web-ui/v3/server/config"
 	"golang.org/x/oauth2"
 )

@@ -76,6 +78,21 @@ func doAuthentification(r *http.Request, setCookieCallback func(t *oauth2.Token)
 		return nil, err
 	}

+	var claims struct {
+		Email    string `json:"email"`
+		Verified bool   `json:"email_verified"`
+	}
+
+	if err := idToken.Claims(&claims); err != nil {
+		return nil, err
+	}
+
+	whitelist := config.Instance().OpenIdEmailWhitelist
+
+	if len(whitelist) > 0 && !slices.Contains(whitelist, claims.Email) {
+		return nil, errors.New("email address not found in ACL")
+	}
+
 	nonce, err := r.Cookie("nonce")
 	if err != nil {
 		return nil, err
Author	SHA1	Message	Date
Marco Piovanello	f7539d8abf	prevent RCEs with crafted video files urls	2025-07-23 10:16:40 +02:00
Marco Piovanello	8a73079fad	Update Dockerfile	2025-04-13 20:13:59 +02:00
marcobaobao	f578f44cfd	refactor: prevent multiple slashes	2025-03-30 10:29:13 +02:00
marcobaobao	cbe16c5c6c	refactoring: readded abort controller to httpClient.ts	2025-03-30 10:21:19 +02:00
marcobaobao	3cebaf7f61	refactor: extra slashes prevention	2025-03-30 10:17:30 +02:00
Marco Piovanello	2d2cb1dc3a	Update README.md	2025-03-30 09:54:27 +02:00
Marco Piovanello	43bcc40907	293 tiny gui improvement (#296 ) * clicking on the speed dial will open download dialog * refactor: prevent multiple slashes	2025-03-29 21:27:28 +01:00
Marco Piovanello	2af27e51be	Chore dockerfile refactor (#287 ) * removed yt-dlp alpine package * use python3-alpine base image	2025-03-22 16:17:25 +01:00
Marco Piovanello	8c18242aaf	removed yt-dlp alpine package (#286 )	2025-03-22 15:27:48 +01:00
Marco Piovanello	66bebb2529	Update README.md	2025-03-17 11:23:29 +01:00
Marco Piovanello	e223e030ac	restrict user with a whitelist (#282 )	2025-03-17 11:13:20 +01:00