Test support for Zap Links (#184)

* zap link poc * Initial support for media links * rename remote attr on token * block possible arbitrary execution from zap links * split out install media * media install mister only
ZaparooProject · Feb 18, 2025 · d59913c · d59913c
1 parent 437a7e7
commit d59913c
Show file tree

Hide file tree

Showing 13 changed files with 331 additions and 29 deletions.
diff --git a/.gitignore b/.gitignore
@@ -27,3 +27,4 @@ Taskfile.yml
 /scripts/mister/build/_build
 
 .DS_Store
+tmp/
diff --git a/pkg/api/methods/readers.go b/pkg/api/methods/readers.go
@@ -3,6 +3,7 @@ package methods
 import (
 	"encoding/json"
 	"errors"
+
 	"github.com/ZaparooProject/zaparoo-core/pkg/api/models"
 	"github.com/ZaparooProject/zaparoo-core/pkg/api/models/requests"
 	"github.com/rs/zerolog/log"
@@ -29,7 +30,7 @@ func HandleReaderWrite(env requests.RequestEnv) (any, error) {
 	rid := rs[0]
 	lt := env.State.GetLastScanned()
 
-	if !lt.ScanTime.IsZero() && !lt.Remote {
+	if !lt.ScanTime.IsZero() && !lt.FromAPI {
 		rid = lt.Source
 	}
 

diff --git a/pkg/api/methods/run.go b/pkg/api/methods/run.go
@@ -4,15 +4,16 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"errors"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
 	"github.com/ZaparooProject/zaparoo-core/pkg/api/models"
 	"github.com/ZaparooProject/zaparoo-core/pkg/api/models/requests"
 	"github.com/ZaparooProject/zaparoo-core/pkg/config"
 	"github.com/ZaparooProject/zaparoo-core/pkg/service/tokens"
 	"golang.org/x/text/unicode/norm"
-	"net/http"
-	"net/url"
-	"strings"
-	"time"
 
 	"github.com/ZaparooProject/zaparoo-core/pkg/service/state"
 	"github.com/go-chi/chi/v5"
@@ -86,7 +87,7 @@ func HandleRun(env requests.RequestEnv) (any, error) {
 	}
 
 	t.ScanTime = time.Now()
-	t.Remote = true // TODO: check if this is still necessary after api update
+	t.FromAPI = true // TODO: check if this is still necessary after api update
 
 	// TODO: how do we report back errors? put channel in queue
 	env.State.SetActiveCard(t)
@@ -122,7 +123,7 @@ func HandleRunRest(
 		t := tokens.Token{
 			Text:     norm.NFC.String(text),
 			ScanTime: time.Now(),
-			Remote:   true,
+			FromAPI:  true,
 		}
 
 		st.SetActiveCard(t)

diff --git a/pkg/platforms/mister/socket.go b/pkg/platforms/mister/socket.go
@@ -5,10 +5,11 @@ package mister
 import (
 	"errors"
 	"fmt"
-	"github.com/ZaparooProject/zaparoo-core/pkg/service/tokens"
 	"net"
 	"strings"
 
+	"github.com/ZaparooProject/zaparoo-core/pkg/service/tokens"
+
 	"github.com/ZaparooProject/zaparoo-core/pkg/readers"
 	"github.com/rs/zerolog/log"
 )
@@ -97,7 +98,7 @@ func StartSocketServer(
 						rid := rids[0]
 
 						lt := getLastScan()
-						if lt != nil && !lt.ScanTime.IsZero() && !lt.Remote {
+						if lt != nil && !lt.ScanTime.IsZero() && !lt.FromAPI {
 							rid = lt.Source
 						}
 

diff --git a/pkg/platforms/platforms.go b/pkg/platforms/platforms.go
@@ -19,10 +19,10 @@ type CmdEnv struct {
 	NamedArgs     map[string]string
 	Cfg           *config.Instance
 	Playlist      playlists.PlaylistController
-	Manual        bool
 	Text          string
 	TotalCommands int
 	CurrentIndex  int
+	Untrusted     bool
 }
 
 type ScanResult struct {

diff --git a/pkg/readers/simple_serial/simple_serial.go b/pkg/readers/simple_serial/simple_serial.go
@@ -2,13 +2,14 @@ package simple_serial
 
 import (
 	"errors"
-	"github.com/ZaparooProject/zaparoo-core/pkg/config"
-	"github.com/ZaparooProject/zaparoo-core/pkg/service/tokens"
 	"os"
 	"runtime"
 	"strings"
 	"time"
 
+	"github.com/ZaparooProject/zaparoo-core/pkg/config"
+	"github.com/ZaparooProject/zaparoo-core/pkg/service/tokens"
+
 	"github.com/ZaparooProject/zaparoo-core/pkg/readers"
 	"github.com/ZaparooProject/zaparoo-core/pkg/utils"
 	"github.com/rs/zerolog/log"
@@ -71,7 +72,7 @@ func (r *SimpleSerialReader) parseLine(line string) (*tokens.Token, error) {
 		} else if strings.HasPrefix(ps[i], "removable=") {
 			// TODO: this isn't really what removable means, but it works
 			//		 for now. it will block shell commands though
-			t.Remote = ps[i][10:] == "no"
+			t.FromAPI = ps[i][10:] == "no"
 			hasArg = true
 		}
 	}

diff --git a/pkg/service/readers.go b/pkg/service/readers.go
@@ -2,12 +2,13 @@ package service
 
 import (
 	"errors"
+	"strings"
+	"time"
+
 	"github.com/ZaparooProject/zaparoo-core/pkg/config"
 	"github.com/ZaparooProject/zaparoo-core/pkg/database"
 	"github.com/ZaparooProject/zaparoo-core/pkg/service/playlists"
 	"github.com/ZaparooProject/zaparoo-core/pkg/service/tokens"
-	"strings"
-	"time"
 
 	"github.com/ZaparooProject/zaparoo-core/pkg/platforms"
 	"github.com/ZaparooProject/zaparoo-core/pkg/readers"
@@ -30,7 +31,7 @@ func shouldExit(
 		return false
 	}
 
-	if st.GetLastScanned().Remote {
+	if st.GetLastScanned().FromAPI {
 		return false
 	}
 

diff --git a/pkg/service/service.go b/pkg/service/service.go
@@ -23,14 +23,15 @@ package service
 
 import (
 	"fmt"
-	"github.com/ZaparooProject/zaparoo-core/pkg/api"
-	"github.com/ZaparooProject/zaparoo-core/pkg/service/playlists"
-	"github.com/ZaparooProject/zaparoo-core/pkg/service/tokens"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 
+	"github.com/ZaparooProject/zaparoo-core/pkg/api"
+	"github.com/ZaparooProject/zaparoo-core/pkg/service/playlists"
+	"github.com/ZaparooProject/zaparoo-core/pkg/service/tokens"
+
 	"golang.org/x/exp/slices"
 
 	"github.com/ZaparooProject/zaparoo-core/pkg/config"
@@ -78,7 +79,6 @@ func launchToken(
 			cfg,
 			plsc,
 			token,
-			mapped,
 			cmd,
 			len(cmds),
 			i,
@@ -87,7 +87,7 @@ func launchToken(
 			return err
 		}
 
-		if softwareSwap && !token.Remote {
+		if softwareSwap && !token.FromAPI {
 			log.Info().Msgf("current software launched set to: %s", token.UID)
 			lsq <- &token
 		}

diff --git a/pkg/service/tokens/tokens.go b/pkg/service/tokens/tokens.go
@@ -18,6 +18,6 @@ type Token struct {
 	Text     string
 	Data     string
 	ScanTime time.Time
-	Remote   bool // TODO: wtf does this even do now
+	FromAPI  bool
 	Source   string
 }
diff --git a/pkg/zapscript/commands.go b/pkg/zapscript/commands.go
@@ -22,14 +22,15 @@ package zapscript
 
 import (
 	"fmt"
-	"github.com/ZaparooProject/zaparoo-core/pkg/config"
-	"github.com/ZaparooProject/zaparoo-core/pkg/service/playlists"
-	"github.com/ZaparooProject/zaparoo-core/pkg/service/tokens"
 	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
 
+	"github.com/ZaparooProject/zaparoo-core/pkg/config"
+	"github.com/ZaparooProject/zaparoo-core/pkg/service/playlists"
+	"github.com/ZaparooProject/zaparoo-core/pkg/service/tokens"
+
 	"golang.org/x/exp/slices"
 
 	"github.com/rs/zerolog/log"
@@ -133,11 +134,21 @@ func LaunchToken(
 	cfg *config.Instance,
 	plsc playlists.PlaylistController,
 	t tokens.Token,
-	manual bool,
 	text string,
 	totalCommands int,
 	currentIndex int,
 ) (error, bool) {
+	var untrusted bool
+	newText, err := checkLink(cfg, pl, text)
+	if err != nil {
+		log.Error().Err(err).Msgf("error checking link, continuing")
+	} else if newText != "" {
+		log.Info().Msgf("valid zap link, replacing text: %s", newText)
+		text = newText
+		untrusted = true
+	}
+
+	// advanced args
 	namedArgs := make(map[string]string)
 	if i := strings.LastIndex(text, "?"); i != -1 {
 		u, err := url.Parse(text[i:])
@@ -179,10 +190,10 @@ func LaunchToken(
 			NamedArgs:     namedArgs,
 			Cfg:           cfg,
 			Playlist:      plsc,
-			Manual:        manual,
 			Text:          text,
 			TotalCommands: totalCommands,
 			CurrentIndex:  currentIndex,
+			Untrusted:     untrusted,
 		}
 
 		if f, ok := commandMappings[cmd]; ok {
@@ -213,9 +224,9 @@ func LaunchToken(
 		Args:          text,
 		NamedArgs:     namedArgs,
 		Cfg:           cfg,
-		Manual:        manual,
 		Text:          text,
 		TotalCommands: totalCommands,
 		CurrentIndex:  currentIndex,
+		Untrusted:     untrusted,
 	}), true
 }
diff --git a/pkg/zapscript/input.go b/pkg/zapscript/input.go
@@ -12,6 +12,9 @@ import (
 
 // DEPRECATED
 func cmdKey(pl platforms.Platform, env platforms.CmdEnv) error {
+	if env.Untrusted {
+		return fmt.Errorf("command cannot be run from a remote source")
+	}
 	return pl.KeyboardInput(env.Args)
 }
 
@@ -70,6 +73,10 @@ func readKeys(keys string) ([]string, error) {
 }
 
 func cmdKeyboard(pl platforms.Platform, env platforms.CmdEnv) error {
+	if env.Untrusted {
+		return fmt.Errorf("command cannot be run from a remote source")
+	}
+
 	log.Info().Msgf("keyboard input: %s", env.Args)
 
 	// TODO: stuff like adjust delay, only press, etc.
@@ -91,6 +98,10 @@ func cmdKeyboard(pl platforms.Platform, env platforms.CmdEnv) error {
 }
 
 func cmdGamepad(pl platforms.Platform, env platforms.CmdEnv) error {
+	if env.Untrusted {
+		return fmt.Errorf("command cannot be run from a remote source")
+	}
+
 	log.Info().Msgf("gamepad input: %s", env.Args)
 
 	names, err := readKeys(env.Args)
@@ -115,7 +126,7 @@ func insertCoin(pl platforms.Platform, env platforms.CmdEnv, key string) error {
 	}
 
 	for i := 0; i < amount; i++ {
-		pl.KeyboardInput(key)
+		_ = pl.KeyboardInput(key)
 		time.Sleep(100 * time.Millisecond)
 	}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -27,3 +27,4 @@ Taskfile.yml
		/scripts/mister/build/_build

		.DS_Store
		tmp/