Add back restricted Stream.AddStream functionality (#1331)

* Allow back Stream.AddStream but don't allow a process stream type * Don't allow controlscript parameters when creating streams through RPC * Added back documentation for Straem.AddStream and Stream.removeStream * Fixed checking controlscript parameter It is actually a property of the streamUri URI instead of a separate parameter * Small doc update to clarify things * Fixed missing doc delimiter * Removed unused checkParamsNotAllowed method
badaix · Jan 19, 2025 · 9254be1 · 9254be1
1 parent fab6646
commit 9254be1
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 3 deletions.
diff --git a/doc/json_rpc_api/control.md b/doc/json_rpc_api/control.md
@@ -161,6 +161,8 @@ The Server JSON object contains a list of Groups and Streams. Every Group holds
 * Stream
   * [Stream.Control](#streamcontrol)
   * [Stream.SetProperty](#streamsetproperty)
+  * [Stream.AddStream](#streamaddstream)
+  * [Stream.RemoveStream](#streamremovestream)
 
 ### Notifications
 
@@ -480,6 +482,38 @@ See [Plugin.Stream.Player.SetProperty](stream_plugin.md#pluginstreamplayersetpro
 {"id": 1, "jsonrpc": "2.0", "result": "ok"}
 ```
 
+### Stream.AddStream
+
+Note: for security purposes, we don't allow adding `process` streams.
+We also don't allow setting the `controlscript` query parameter of streamUri.
+
+#### Request
+
+```json
+{"id":8,"jsonrpc":"2.0","method":"Stream.AddStream","params":{"streamUri":"pipe:///tmp/snapfifo?name=stream 2"}}
+```
+
+#### Response
+
+```json
+{"id":8,"jsonrpc":"2.0","result":{"stream_id":"stream 2"}}
+```
+
+### Stream.RemoveStream
+
+#### Request
+
+```json
+{"id":8,"jsonrpc":"2.0","method":"Stream.RemoveStream","params":{"id":"stream 2"}}
+```
+
+#### Response
+
+```json
+{"id":8,"jsonrpc":"2.0","result":{"stream_id":"stream 2"}}
+```
+
+
 ##### Error
 
 ```json

diff --git a/server/control_requests.cpp b/server/control_requests.cpp
@@ -99,10 +99,8 @@ ControlRequestFactory::ControlRequestFactory(const Server& server)
     // Stream requests
     add_request(std::make_shared<StreamControlRequest>(server));
     add_request(std::make_shared<StreamSetPropertyRequest>(server));
-#if 0 // Removed to fix CVE-2023-36177
     add_request(std::make_shared<StreamAddRequest>(server));
     add_request(std::make_shared<StreamRemoveRequest>(server));
-#endif
 
     // Server requests
     add_request(std::make_shared<ServerGetRpcVersionRequest>(server));
@@ -692,11 +690,20 @@ void StreamAddRequest::execute(const jsonrpcpp::request_ptr& request, AuthInfo&
 
     checkParams(request, {"streamUri"});
 
+    // Don't allow adding a process stream: CVE-2023-36177
+    const std::string streamUri = request->params().get("streamUri");
+    const StreamUri parsedUri(streamUri);
+    if(parsedUri.scheme == "process")
+        throw jsonrpcpp::InvalidParamsException("Adding process streams is not allowed", request->id());
+
+    // Don't allow settings the controlscript streamUri property
+    if (!parsedUri.getQuery("controlscript").empty())
+        throw jsonrpcpp::InvalidParamsException("No controlscript streamUri property allowed", request->id());
+
     std::ignore = authinfo;
     LOG(INFO, LOG_TAG) << "Stream.AddStream(" << request->params().get("streamUri") << ")\n";
 
     // Add stream
-    std::string streamUri = request->params().get("streamUri");
     PcmStreamPtr stream = getStreamManager().addStream(streamUri);
     if (stream == nullptr)
         throw jsonrpcpp::InternalErrorException("Stream not created", request->id());