mirror of
https://github.com/navidrome/navidrome.git
synced 2026-03-04 06:35:52 +00:00
652c27690b
* feat(httpclient): implement HttpClient service for outbound HTTP requests in plugins Signed-off-by: Deluan <deluan@navidrome.org> * feat(httpclient): enhance SSRF protection by validating host requests against private IPs Signed-off-by: Deluan <deluan@navidrome.org> * feat(httpclient): support DELETE requests with body in HttpClient service Signed-off-by: Deluan <deluan@navidrome.org> * feat(httpclient): refactor HTTP client initialization and enhance redirect handling Signed-off-by: Deluan <deluan@navidrome.org> * refactor(http): standardize naming conventions for HTTP types and methods Signed-off-by: Deluan <deluan@navidrome.org> * refactor example plugin to use host.HTTPSend for improved error management Signed-off-by: Deluan <deluan@navidrome.org> * fix(plugins): fix IPv6 SSRF bypass and wildcard host matching Fix two bugs in the plugin HTTP/WebSocket host validation: 1. extractHostname now strips IPv6 brackets when no port is present (e.g. "[::1]" → "::1"). Previously, net.SplitHostPort failed for bracketed IPv6 without a port, leaving brackets intact. This caused net.ParseIP to return nil, bypassing the private/loopback SSRF guard. 2. matchHostPattern now treats "*" as an allow-all pattern. Previously, a bare "*" only matched via exact equality, so plugins declaring requiredHosts: ["*"] (like webhook-rs) had all requests rejected. --------- Signed-off-by: Deluan <deluan@navidrome.org>
41 lines
1.6 KiB
Go
41 lines
1.6 KiB
Go
package host
|
|
|
|
import "context"
|
|
|
|
// HTTPRequest represents an outbound HTTP request from a plugin.
|
|
type HTTPRequest struct {
|
|
Method string `json:"method"`
|
|
URL string `json:"url"`
|
|
Headers map[string]string `json:"headers,omitempty"`
|
|
Body []byte `json:"body,omitempty"`
|
|
TimeoutMs int32 `json:"timeoutMs,omitempty"`
|
|
}
|
|
|
|
// HTTPResponse represents the response from an outbound HTTP request.
|
|
type HTTPResponse struct {
|
|
StatusCode int32 `json:"statusCode"`
|
|
Headers map[string]string `json:"headers,omitempty"`
|
|
Body []byte `json:"body,omitempty"`
|
|
}
|
|
|
|
// HTTPService provides outbound HTTP request capabilities for plugins.
|
|
//
|
|
// This service allows plugins to make HTTP requests to external services.
|
|
// Requests are validated against the plugin's declared requiredHosts patterns
|
|
// from the http permission in the manifest. Redirects are followed but each
|
|
// redirect destination is also validated against the allowed hosts.
|
|
//
|
|
//nd:hostservice name=HTTP permission=http
|
|
type HTTPService interface {
|
|
// Send executes an HTTP request and returns the response.
|
|
//
|
|
// Parameters:
|
|
// - request: The HTTP request to execute, including method, URL, headers, body, and timeout
|
|
//
|
|
// Returns the HTTP response with status code, headers, and body.
|
|
// Network errors, timeouts, and permission failures are returned as Go errors.
|
|
// Successful HTTP calls (including 4xx/5xx status codes) return a non-nil response with nil error.
|
|
//nd:hostfunc
|
|
Send(ctx context.Context, request HTTPRequest) (*HTTPResponse, error)
|
|
}
|