security: harden code against command injection and path traversal
Core changes: * enforce HTTPS URLs and remove shell usage in generate_release.py * replace os.system calls with subprocess across the codebase * validate external inputs (playlist names, video IDs) Improvements and fixes: * settings.py: fix typo (node.lineno → line_number); use isinstance() over type() * youtube/get_app_version: improve git detection using subprocess.DEVNULL * youtube/util.py: add cleanup helpers; use shutil.which for binary resolution YouTube modules: * watch.py: detect and flag HLS streams; remove unused audio_track_sources * comments.py: return early when comments are disabled; add error handling * local_playlist.py: validate playlist names to prevent path traversal * subscriptions.py: replace asserts with proper error handling; validate video IDs Cleanup: * remove unused imports across modules (playlist, search, channel) * reorganize package imports in youtube/**init**.py * simplify test imports and fix cleanup_func in tests Tests: * tests/test_shorts.py: simplify imports * tests/test_util.py: fix cleanup_func definition
This commit is contained in:
20
server.py
20
server.py
@@ -1,22 +1,28 @@
|
||||
#!/usr/bin/env python3
|
||||
# E402 is deliberately ignored in this file: `monkey.patch_all()` must run
|
||||
# before any stdlib networking or gevent-dependent modules are imported.
|
||||
from gevent import monkey
|
||||
monkey.patch_all()
|
||||
import gevent.socket
|
||||
|
||||
from youtube import yt_app
|
||||
from youtube import util
|
||||
|
||||
# these are just so the files get run - they import yt_app and add routes to it
|
||||
from youtube import watch, search, playlist, channel, local_playlist, comments, subscriptions
|
||||
from youtube import (
|
||||
watch,
|
||||
search,
|
||||
playlist,
|
||||
channel,
|
||||
local_playlist,
|
||||
comments,
|
||||
subscriptions,
|
||||
)
|
||||
|
||||
import settings
|
||||
|
||||
from gevent.pywsgi import WSGIServer
|
||||
import urllib
|
||||
import urllib3
|
||||
import socket
|
||||
import socks, sockshandler
|
||||
import subprocess
|
||||
import re
|
||||
import sys
|
||||
import time
|
||||
@@ -55,8 +61,6 @@ def proxy_site(env, start_response, video=False):
|
||||
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64)',
|
||||
'Accept': '*/*',
|
||||
}
|
||||
current_range_start = 0
|
||||
range_end = None
|
||||
if 'HTTP_RANGE' in env:
|
||||
send_headers['Range'] = env['HTTP_RANGE']
|
||||
|
||||
@@ -274,6 +278,8 @@ class FilteredRequestLog:
|
||||
|
||||
if __name__ == '__main__':
|
||||
if settings.allow_foreign_addresses:
|
||||
# Binding to all interfaces is opt-in via the
|
||||
# `allow_foreign_addresses` setting and documented as discouraged.
|
||||
server = WSGIServer(('0.0.0.0', settings.port_number), site_dispatch,
|
||||
log=FilteredRequestLog())
|
||||
ip_server = '0.0.0.0'
|
||||
|
||||
Reference in New Issue
Block a user