Address path traversal and other security fixes

2026-04-10 14:58:57 -04:00
parent e1c32b6584
commit da16fddce3
4 changed files with 19 additions and 18 deletions
--- a/src/main.rs
+++ b/src/main.rs
@@ -503,14 +503,10 @@ async fn stream_video(
    let playlist = &path.path;
    debug!("Playlist: {}", playlist);

-    // Extract video playlist dir to dotenv
-    if !playlist.starts_with(&app_state.video_path)
-        && is_valid_full_path(&app_state.base_path, playlist, false).is_some()
+    // Only serve files under video_path (HLS playlists) or base_path (source videos)
+    if playlist.starts_with(&app_state.video_path)
+        || is_valid_full_path(&app_state.base_path, playlist, false).is_some()
    {
-        span.set_status(Status::error(format!("playlist not valid {}", playlist)));
-
-        HttpResponse::BadRequest().finish()
-    } else {
        match NamedFile::open(playlist) {
            Ok(file) => {
                span.set_status(Status::Ok);
@@ -521,6 +517,9 @@ async fn stream_video(
                HttpResponse::NotFound().finish()
            }
        }
+    } else {
+        span.set_status(Status::error(format!("playlist not valid {}", playlist)));
+        HttpResponse::BadRequest().finish()
    }
 }

@@ -1209,6 +1208,7 @@ fn main() -> std::io::Result<()> {
                .app_data::<Data<Mutex<SqliteKnowledgeDao>>>(Data::new(Mutex::new(
                    SqliteKnowledgeDao::new(),
                )))
+                .app_data(mp::form::MultipartFormConfig::default().total_limit(1024 * 1024 * 1024)) // 1GB upload limit
                .app_data(web::JsonConfig::default().error_handler(|err, req| {
                    let detail = err.to_string();
                    log::warn!(