prevent RCEs with crafted video files urls

* clicking on the speed dial will open download dialog

* refactor: prevent multiple slashes

.deploystack/docker-run.txt

@@ -0,0 +1 @@
+docker run -d -p 3033:3033 -v /downloads:/downloads marcobaobao/yt-dlp-webui

.dockerignore

@@ -3,6 +3,7 @@
 result/
 result
 dist
+.pnpm-store/
 .pnpm-debug.log
 node_modules
 .env
@@ -20,9 +21,11 @@ cookies.txt
 __debug*
 ui/
 .idea
+.idea/
 frontend/.pnp.cjs
 frontend/.pnp.loader.mjs
 frontend/.yarn/install-state.gz
 .db.lock
 livestreams.dat
-.git
+.vite/deps
+archive.txt

Dockerfile

@@ -24,11 +24,12 @@ COPY --from=ui /usr/src/yt-dlp-webui/frontend /usr/src/yt-dlp-webui/frontend
 RUN CGO_ENABLED=0 GOOS=linux go build -o yt-dlp-webui
 # -----------------------------------------------------------------------------
 
-# dependencies ----------------------------------------------------------------
-FROM alpine:edge
+# Runtime ---------------------------------------------------------------------
+FROM python:3.13.2-alpine3.21
 
 RUN apk update && \
-apk add ffmpeg yt-dlp ca-certificates curl wget psmisc
+apk add ffmpeg ca-certificates curl wget gnutls --no-cache && \
+pip install "yt-dlp[default,curl-cffi,mutagen,pycryptodomex,phantomjs,secretstorage]"
 
 VOLUME /downloads /config
 
@@ -39,4 +40,4 @@ COPY --from=build /usr/src/yt-dlp-webui/yt-dlp-webui /app
 ENV JWT_SECRET=secret
 
 EXPOSE 3033
-ENTRYPOINT [ "./yt-dlp-webui" , "--out", "/downloads", "--conf", "/config/config.yml", "--db", "/config/local.db" ]
+ENTRYPOINT [ "./yt-dlp-webui" , "--out", "/downloads", "--conf", "/config/config.yml", "--db", "/config/local.db" ]

README.md

@@ -28,7 +28,7 @@ docker pull ghcr.io/marcopiovanello/yt-dlp-web-ui:latest
 ## Community stuff
 Feel free to join :)
 
-[![Discord Banner](https://api.weblutions.com/discord/invite/3Sj9ZZHv/)](https://discord.gg/3Sj9ZZHv)
+[Discord](https://discord.gg/GZAX5FfGzE)
 
 ## Some screeshots
 ![image](https://github.com/user-attachments/assets/fc43a3fb-ecf9-449d-b5cb-5d5635020c00)
@@ -115,6 +115,16 @@ services:
     restart: unless-stopped
 ```
 
+### ⚡ One-Click Deploy
+
+| Cloud Provider | Deploy Button |
+|----------------|---------------|
+| AWS | <a href="https://deploystack.io/deploy/marcopiovanello-yt-dlp-web-ui?provider=aws&language=cfn"><img src="https://raw.githubusercontent.com/deploystackio/deploy-templates/refs/heads/main/.assets/img/aws.svg" height="38"></a> |
+| DigitalOcean | <a href="https://deploystack.io/deploy/marcopiovanello-yt-dlp-web-ui?provider=do&language=dop"><img src="https://raw.githubusercontent.com/deploystackio/deploy-templates/refs/heads/main/.assets/img/do.svg" height="38"></a> |
+| Render | <a href="https://deploystack.io/deploy/marcopiovanello-yt-dlp-web-ui?provider=rnd&language=rnd"><img src="https://raw.githubusercontent.com/deploystackio/deploy-templates/refs/heads/main/.assets/img/rnd.svg" height="38"></a> |
+
+<sub>Generated by <a href="https://deploystack.io/c/marcopiovanello-yt-dlp-web-ui" target="_blank">DeployStack.io</a></sub>
+
 ## [Prebuilt binaries](https://github.com/marcopiovanello/yt-dlp-web-ui/releases) installation
 
 ```sh

frontend/src/assets/i18n/en_US.yaml

@@ -79,4 +79,5 @@ keys:
     The monitor job will be scheduled/triggered by a defined cron expression (defaults to every 5 minutes if left blank).
   cronExpressionLabel: 'Cron expression'
   editButtonLabel: 'Edit'
-  newSubscriptionButton: New subscription
+  newSubscriptionButton: New subscription
+  clearCompletedButton: 'Clear completed'

frontend/src/atoms/settings.ts

@@ -121,14 +121,18 @@ export const appTitleState = atomWithStorage(
 export const serverAddressAndPortState = atom((get) => {
   if (get(servedFromReverseProxySubDirState)) {
     return `${get(serverAddressState)}/${get(servedFromReverseProxySubDirState)}/`
-      .replaceAll('"', '') // TODO: atomWithStorage put extra double quotes on strings
+      .replaceAll('"', '')    // XXX: atomWithStorage uses JSON.stringify to serialize
+      .replaceAll('//', '/')  // which puts extra double quotes.
   }
   if (get(servedFromReverseProxyState)) {
     return `${get(serverAddressState)}`
       .replaceAll('"', '')
   }
-  return `${get(serverAddressState)}:${get(serverPortState)}`
+
+  const sap = `${get(serverAddressState)}:${get(serverPortState)}`
     .replaceAll('"', '')
+
+  return sap.endsWith('/') ? sap.slice(0, -1) : sap
 })
 
 export const serverURL = atom((get) =>
@@ -137,12 +141,16 @@ export const serverURL = atom((get) =>
 
 export const rpcWebSocketEndpoint = atom((get) => {
   const proto = window.location.protocol === 'https:' ? 'wss:' : 'ws:'
-  return `${proto}//${get(serverAddressAndPortState)}/rpc/ws`
+  const sap = get(serverAddressAndPortState)
+
+  return `${proto}//${sap.endsWith('/') ? sap.slice(0, -1) : sap}/rpc/ws`
 })
 
 export const rpcHTTPEndpoint = atom((get) => {
   const proto = window.location.protocol
-  return `${proto}//${get(serverAddressAndPortState)}/rpc/http`
+  const sap = get(serverAddressAndPortState)
+
+  return `${proto}//${sap.endsWith('/') ? sap.slice(0, -1) : sap}/rpc/http`
 })
 
 export const serverSideCookiesState = atom<Promise<string>>(async (get) => await pipe(

frontend/src/components/HomeSpeedDial.tsx

@@ -1,5 +1,6 @@
 import AddCircleIcon from '@mui/icons-material/AddCircle'
 import BuildCircleIcon from '@mui/icons-material/BuildCircle'
+import ClearAllIcon from '@mui/icons-material/ClearAll'
 import DeleteForeverIcon from '@mui/icons-material/DeleteForever'
 import FolderZipIcon from '@mui/icons-material/FolderZip'
 import FormatListBulleted from '@mui/icons-material/FormatListBulleted'
@@ -31,6 +32,7 @@ const HomeSpeedDial: React.FC<Props> = ({ onDownloadOpen, onEditorOpen }) => {
       ariaLabel="Home speed dial"
       sx={{ position: 'absolute', bottom: 64, right: 24 }}
       icon={<SpeedDialIcon />}
+      onClick={onDownloadOpen}
     >
       <SpeedDialAction
         icon={listView ? <ViewAgendaIcon /> : <FormatListBulleted />}
@@ -42,6 +44,11 @@ const HomeSpeedDial: React.FC<Props> = ({ onDownloadOpen, onEditorOpen }) => {
         tooltipTitle={i18n.t('bulkDownload')}
         onClick={() => window.open(`${serverAddr}/archive/bulk?token=${localStorage.getItem('token')}`)}
       />
+      <SpeedDialAction
+        icon={<ClearAllIcon />}
+        tooltipTitle={i18n.t('clearCompletedButton')}
+        onClick={() => client.clearCompleted()}
+      />
       <SpeedDialAction
         icon={<DeleteForeverIcon />}
         tooltipTitle={i18n.t('abortAllButton')}

frontend/src/lib/httpClient.ts

@@ -1,6 +1,9 @@
 import { tryCatch } from 'fp-ts/TaskEither'
+import * as J from 'fp-ts/Json'
+import * as E from 'fp-ts/Either'
+import { pipe } from 'fp-ts/lib/function'
 
-async function fetcher<T>(url: string, opt?: RequestInit): Promise<T> {
+async function fetcher(url: string, opt?: RequestInit, controller?: AbortController): Promise<string> {
   const jwt = localStorage.getItem('token')
 
   if (opt && !opt.headers) {
@@ -14,17 +17,27 @@ async function fetcher<T>(url: string, opt?: RequestInit): Promise<T> {
     headers: {
       ...opt?.headers,
       'X-Authentication': jwt ?? ''
-    }
+    },
+    signal: controller?.signal
   })
 
   if (!res.ok) {
     throw await res.text()
   }
 
-  return res.json() as T
+
+
+  return res.text()
 }
 
-export const ffetch = <T>(url: string, opt?: RequestInit) => tryCatch(
-  () => fetcher<T>(url, opt),
+export const ffetch = <T>(url: string, opt?: RequestInit, controller?: AbortController) => tryCatch(
+  async () => pipe(
+    await fetcher(url, opt, controller),
+    J.parse,
+    E.match(
+      (l) => l as T,
+      (r) => r as T
+    )
+  ),
   (e) => `error while fetching: ${e}`
 )

frontend/src/lib/rpcClient.ts

@@ -200,4 +200,11 @@ export class RPCClient {
       params: []
     })
   }
+
+  public clearCompleted() {
+    return this.sendHTTP({
+      method: 'Service.ClearCompleted',
+      params: []
+    })
+  }
 }

frontend/src/types/index.ts

@@ -13,6 +13,7 @@ export type RPCMethods =
   | "Service.ProgressLivestream"
   | "Service.KillLivestream"
   | "Service.KillAllLivestream"
+  | "Service.ClearCompleted"
 
 export type RPCRequest = {
   method: RPCMethods

go.mod

@@ -1,6 +1,6 @@
 module github.com/marcopiovanello/yt-dlp-web-ui/v3
 
-go 1.23
+go 1.24
 
 require (
 	github.com/asaskevich/EventBus v0.0.0-20200907212545-49d423059eef

server/config/config.go

@@ -9,27 +9,28 @@ import (
 )
 
 type Config struct {
-	LogPath            string `yaml:"log_path"`
-	EnableFileLogging  bool   `yaml:"enable_file_logging"`
-	BaseURL            string `yaml:"base_url"`
-	Host               string `yaml:"host"`
-	Port               int    `yaml:"port"`
-	DownloadPath       string `yaml:"downloadPath"`
-	DownloaderPath     string `yaml:"downloaderPath"`
-	RequireAuth        bool   `yaml:"require_auth"`
-	Username           string `yaml:"username"`
-	Password           string `yaml:"password"`
-	QueueSize          int    `yaml:"queue_size"`
-	LocalDatabasePath  string `yaml:"local_database_path"`
-	SessionFilePath    string `yaml:"session_file_path"`
-	path               string // private
-	UseOpenId          bool   `yaml:"use_openid"`
-	OpenIdProviderURL  string `yaml:"openid_provider_url"`
-	OpenIdClientId     string `yaml:"openid_client_id"`
-	OpenIdClientSecret string `yaml:"openid_client_secret"`
-	OpenIdRedirectURL  string `yaml:"openid_redirect_url"`
-	FrontendPath       string `yaml:"frontend_path"`
-	AutoArchive        bool   `yaml:"auto_archive"`
+	LogPath              string   `yaml:"log_path"`
+	EnableFileLogging    bool     `yaml:"enable_file_logging"`
+	BaseURL              string   `yaml:"base_url"`
+	Host                 string   `yaml:"host"`
+	Port                 int      `yaml:"port"`
+	DownloadPath         string   `yaml:"downloadPath"`
+	DownloaderPath       string   `yaml:"downloaderPath"`
+	RequireAuth          bool     `yaml:"require_auth"`
+	Username             string   `yaml:"username"`
+	Password             string   `yaml:"password"`
+	QueueSize            int      `yaml:"queue_size"`
+	LocalDatabasePath    string   `yaml:"local_database_path"`
+	SessionFilePath      string   `yaml:"session_file_path"`
+	path                 string   // private
+	UseOpenId            bool     `yaml:"use_openid"`
+	OpenIdProviderURL    string   `yaml:"openid_provider_url"`
+	OpenIdClientId       string   `yaml:"openid_client_id"`
+	OpenIdClientSecret   string   `yaml:"openid_client_secret"`
+	OpenIdRedirectURL    string   `yaml:"openid_redirect_url"`
+	OpenIdEmailWhitelist []string `yaml:"openid_email_whitelist"`
+	FrontendPath         string   `yaml:"frontend_path"`
+	AutoArchive          bool     `yaml:"auto_archive"`
 }
 
 var (

server/internal/balancer.go

@@ -2,6 +2,7 @@ package internal
 
 import (
 	"container/heap"
+	"log/slog"
 )
 
 type LoadBalancer struct {
@@ -9,7 +10,29 @@ type LoadBalancer struct {
 	done chan *Worker
 }
 
-func (b *LoadBalancer) Balance(work chan Process) {
+func NewLoadBalancer(numWorker int) *LoadBalancer {
+	var pool Pool
+
+	doneChan := make(chan *Worker)
+
+	for i := range numWorker {
+		w := &Worker{
+			requests: make(chan *Process, 1),
+			index:    i,
+		}
+		go w.Work(doneChan)
+		pool = append(pool, w)
+
+		slog.Info("spawned worker", slog.Int("index", i))
+	}
+
+	return &LoadBalancer{
+		pool: pool,
+		done: doneChan,
+	}
+}
+
+func (b *LoadBalancer) Balance(work chan *Process) {
 	for {
 		select {
 		case req := <-work:
@@ -20,7 +43,7 @@ func (b *LoadBalancer) Balance(work chan Process) {
 	}
 }
 
-func (b *LoadBalancer) dispatch(req Process) {
+func (b *LoadBalancer) dispatch(req *Process) {
 	w := heap.Pop(&b.pool).(*Worker)
 	w.requests <- req
 	w.pending++

server/internal/livestream/livestream.go

@@ -141,26 +141,13 @@ func (l *LiveStream) monitorStartTime(r io.Reader) {
 		}
 	}
 
-	const TRIES = 5
-	/*
-		if it's waiting a livestream the 5th line will indicate the time to live
-		its a dumb and not robust method.
+	scanner.Scan()
 
-		example:
-			[youtube] Extracting URL: https://www.youtube.com/watch?v=IQVbGfVVjgY
-			[youtube] IQVbGfVVjgY: Downloading webpage
-			[youtube] IQVbGfVVjgY: Downloading ios player API JSON
-			[youtube] IQVbGfVVjgY: Downloading web creator player API JSON
-			WARNING: [youtube] This live event will begin in 27 minutes.       <- STDERR, ignore
-			[wait] Waiting for 00:27:15 - Press Ctrl+C to try now              <- 5th line
-	*/
-	for range TRIES {
+	for !strings.Contains(scanner.Text(), "Waiting for") {
 		scanner.Scan()
-
-		if strings.Contains(scanner.Text(), "Waiting for") {
-			waitTimeScanner()
-		}
 	}
+
+	waitTimeScanner()
 }
 
 func (l *LiveStream) WaitTime() <-chan time.Duration {

server/internal/livestream/livestream_test.go

@@ -9,15 +9,17 @@ import (
 )
 
 func setupTest() {
-	config.Instance().DownloaderPath = "yt-dlp"
+	config.Instance().DownloaderPath = "build/yt-dlp"
 }
 
+const URL = "https://www.youtube.com/watch?v=pwoAyLGOysU"
+
 func TestLivestream(t *testing.T) {
 	setupTest()
 
 	done := make(chan *LiveStream)
 
-	ls := New("https://www.youtube.com/watch?v=LSm1daKezcE", done, &internal.MessageQueue{}, &internal.MemoryDB{})
+	ls := New(URL, done, &internal.MessageQueue{}, &internal.MemoryDB{})
 	go ls.Start()
 
 	time.AfterFunc(time.Second*20, func() {

server/internal/playlist.go

@@ -50,7 +50,7 @@ func PlaylistDetect(req DownloadRequest, mq *MessageQueue, db *MemoryDB) error {
 		return errors.New("probably not a valid URL")
 	}
 
-	if m.Type == "playlist" {
+	if m.IsPlaylist() {
 		entries := slices.CompactFunc(slices.Compact(m.Entries), func(a common.DownloadInfo, b common.DownloadInfo) bool {
 			return a.URL == b.URL
 		})

server/internal/pool.go

@@ -1,16 +1,24 @@
 package internal
 
+// Pool implements heap.Interface interface as a standard priority queue
 type Pool []*Worker
 
 func (h Pool) Len() int           { return len(h) }
-func (h Pool) Less(i, j int) bool { return h[i].index < h[j].index }
-func (h Pool) Swap(i, j int)      { h[i], h[j] = h[j], h[i] }
-func (h *Pool) Push(x any)        { *h = append(*h, x.(*Worker)) }
+func (h Pool) Less(i, j int) bool { return h[i].pending < h[j].pending }
+
+func (h Pool) Swap(i, j int) {
+	h[i], h[j] = h[j], h[i]
+	h[i].index = i
+	h[j].index = j
+}
+
+func (h *Pool) Push(x any) { *h = append(*h, x.(*Worker)) }
 
 func (h *Pool) Pop() any {
 	old := *h
 	n := len(old)
 	x := old[n-1]
+	old[n-1] = nil
 	*h = old[0 : n-1]
 	return x
 }

server/internal/process.go

@@ -93,6 +93,7 @@ func (p *Process) Start() {
 
 	baseParams := []string{
 		strings.Split(p.Url, "?list")[0], //no playlist
+		"--no-exec",
 		"--newline",
 		"--no-colors",
 		"--no-playlist",

server/internal/worker.go

@@ -1,9 +1,9 @@
 package internal
 
 type Worker struct {
-	requests chan Process // downloads to do
-	pending  int          // downloads pending
-	index    int          // index in the heap
+	requests chan *Process // downloads to do
+	pending  int           // downloads pending
+	index    int           // index in the heap
 }
 
 func (w *Worker) Work(done chan *Worker) {

server/openid/handler.go

@@ -6,10 +6,12 @@ import (
 	"encoding/json"
 	"errors"
 	"net/http"
+	"slices"
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/google/uuid"
+	"github.com/marcopiovanello/yt-dlp-web-ui/v3/server/config"
 	"golang.org/x/oauth2"
 )
 
@@ -76,6 +78,21 @@ func doAuthentification(r *http.Request, setCookieCallback func(t *oauth2.Token)
 		return nil, err
 	}
 
+	var claims struct {
+		Email    string `json:"email"`
+		Verified bool   `json:"email_verified"`
+	}
+
+	if err := idToken.Claims(&claims); err != nil {
+		return nil, err
+	}
+
+	whitelist := config.Instance().OpenIdEmailWhitelist
+
+	if len(whitelist) > 0 && !slices.Contains(whitelist, claims.Email) {
+		return nil, errors.New("email address not found in ACL")
+	}
+
 	nonce, err := r.Cookie("nonce")
 	if err != nil {
 		return nil, err

server/playlist/types.go

@@ -8,3 +8,5 @@ type Metadata struct {
 	PlaylistTitle string                `json:"title"`
 	Type          string                `json:"_type"`
 }
+
+func (m *Metadata) IsPlaylist() bool { return m.Type == "playlist" }

server/rpc/service.go

@@ -183,6 +183,7 @@ func (s *Service) KillAll(args NoArgs, killed *string) error {
 		}
 
 		slog.Info("succesfully killed process", slog.String("id", proc.Id))
+		proc = nil // gc helper
 	}
 
 	return nil
@@ -195,6 +196,35 @@ func (s *Service) Clear(args string, killed *string) error {
 	return nil
 }
 
+// Removes completed processes
+func (s *Service) ClearCompleted(cleared *string) error {
+	var (
+		keys       = s.db.Keys()
+		removeFunc = func(p *internal.Process) error {
+			defer s.db.Delete(p.Id)
+
+			if p.Progress.Status != internal.StatusCompleted {
+				return nil
+			}
+
+			return p.Kill()
+		}
+	)
+
+	for _, key := range *keys {
+		proc, err := s.db.Get(key)
+		if err != nil {
+			return err
+		}
+
+		if err := removeFunc(proc); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 // FreeSpace gets the available from package sys util
 func (s *Service) FreeSpace(args NoArgs, free *uint64) error {
 	freeSpace, err := sys.FreeSpace()