Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 16 additions & 5 deletions .github/workflows/flutter-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ env:
# vcpkg version: 2025.08.27
# If we change the `VCPKG COMMIT_ID`, please remember:
# 1. Call `$VCPKG_ROOT/vcpkg x-update-baseline` to update the baseline in `vcpkg.json`.
# Or we may face build issue like
# Or we may face build issue like
# https://github.com/rustdesk/rustdesk/actions/runs/14414119794/job/40427970174
# 2. Update the `VCPKG_COMMIT_ID` in `ci.yml` and `playground.yml`.
VCPKG_COMMIT_ID: "120deac3062162151622ca4860575a33844ba10b"
Expand All @@ -49,6 +49,7 @@ env:
#signing keys env variable checks
ANDROID_SIGNING_KEY: "${{ secrets.ANDROID_SIGNING_KEY }}"
MACOS_P12_BASE64: "${{ secrets.MACOS_P12_BASE64 }}"
MACOS_NOTARIZE_JSON: "${{ secrets.MACOS_NOTARIZE_JSON }}"
UPLOAD_ARTIFACT: "${{ inputs.upload-artifact }}"
SIGN_BASE_URL: "${{ secrets.SIGN_BASE_URL }}-2"

Expand Down Expand Up @@ -615,7 +616,7 @@ jobs:
run: |
rustup target add ${{ matrix.job.target }}
cargo build --locked --features flutter,hwcodec --release --target aarch64-apple-ios --lib

- name: Upload liblibrustdesk.a Artifacts
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
Expand Down Expand Up @@ -693,12 +694,20 @@ jobs:

- name: Check sign and import sign key
if: env.MACOS_P12_BASE64 != null
env:
MACOS_CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
shell: bash
run: |
security default-keychain -s rustdesk.keychain
security find-identity -v
if ! [[ "$MACOS_CODESIGN_IDENTITY" =~ ^[A-Za-z0-9]+$ ]]; then
# Ensure no whitespaces or special characters
echo 'FATAL: Invalid `secrets.MACOS_CODESIGN_IDENTITY` given. If signing key is stored on your Mac, you can run `security find-identity -v -p codesigning` to find out hex format of your identity.' >&2
exit 128
fi

- name: Import notarize key
if: env.MACOS_P12_BASE64 != null
if: env.MACOS_P12_BASE64 != null && env.MACOS_NOTARIZE_JSON != null
uses: timheuer/base64-to-file@adaa40c0c581f276132199d4cf60afa07ce60eac # v1.2
with:
# https://gregoryszorc.com/docs/apple-codesign/stable/apple_codesign_rcodesign.html#notarizing-and-stapling
Expand Down Expand Up @@ -846,8 +855,10 @@ jobs:
codesign --force --options runtime -s ${{ secrets.MACOS_CODESIGN_IDENTITY }} --deep --strict ./flutter/build/macos/Build/Products/Release/RustDesk.app -vvv
create-dmg --icon "RustDesk.app" 200 190 --hide-extension "RustDesk.app" --window-size 800 400 --app-drop-link 600 185 rustdesk-${{ env.VERSION }}.dmg ./flutter/build/macos/Build/Products/Release/RustDesk.app
codesign --force --options runtime -s ${{ secrets.MACOS_CODESIGN_IDENTITY }} --deep --strict rustdesk-${{ env.VERSION }}.dmg -vvv
# notarize the rustdesk-${{ env.VERSION }}.dmg
rcodesign notary-submit --api-key-path ${{ github.workspace }}/rustdesk.json --staple rustdesk-${{ env.VERSION }}.dmg
if [ "$MACOS_NOTARIZE_JSON" != "" ]; then
# notarize the rustdesk-${{ env.VERSION }}.dmg
rcodesign notary-submit --api-key-path ${{ github.workspace }}/rustdesk.json --staple rustdesk-${{ env.VERSION }}.dmg
fi

- name: Rename rustdesk
if: env.UPLOAD_ARTIFACT == 'true'
Expand Down
4 changes: 2 additions & 2 deletions src/hbbs_http.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ mod http_client;
pub mod record_upload;
pub mod sync;
pub use http_client::{
create_http_client_async, create_http_client_async_with_url, create_http_client_with_url,
get_url_for_tls,
create_http_client_async, create_http_client_async_with_url_strict,
create_http_client_with_url, create_http_client_with_url_strict, get_url_for_tls,
};

#[derive(Debug)]
Expand Down
4 changes: 2 additions & 2 deletions src/hbbs_http/downloader.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
use super::create_http_client_async_with_url;
use super::create_http_client_async_with_url_strict;
use hbb_common::{
bail,
lazy_static::lazy_static,
Expand Down Expand Up @@ -167,7 +167,7 @@ async fn do_download(
auto_del_dur: Option<Duration>,
mut rx_cancel: UnboundedReceiver<()>,
) -> ResultType<bool> {
let client = create_http_client_async_with_url(&url).await;
let client = create_http_client_async_with_url_strict(&url).await?;

let mut is_all_downloaded = false;
tokio::select! {
Expand Down
55 changes: 55 additions & 0 deletions src/hbbs_http/http_client.rs
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
use hbb_common::{
async_recursion::async_recursion,
bail,
config::{Config, Socks5Server},
log::{self, info},
proxy::{Proxy, ProxyScheme},
tls::{
get_cached_tls_accept_invalid_cert, get_cached_tls_type, is_plain, upsert_tls_cache,
TlsType,
},
ResultType,
};
use reqwest::{blocking::Client as SyncClient, Client as AsyncClient};

Expand Down Expand Up @@ -137,6 +139,32 @@ pub fn create_http_client_with_url(url: &str) -> SyncClient {
)
}

pub fn create_http_client_with_url_strict(url: &str) -> ResultType<SyncClient> {
let parsed_url = url::Url::parse(url)?;
if parsed_url.scheme() != "https" {
bail!("Strict HTTP client requires HTTPS: {}", url);
}
let proxy_conf = Config::get_socks();
let tls_url = get_url_for_tls(url, &proxy_conf);
let cached_tls_type = get_cached_tls_type(tls_url);
let cached_danger_accept_invalid_cert = get_cached_tls_accept_invalid_cert(tls_url);
let can_reuse_cached_probe =
cached_tls_type.is_some() && cached_danger_accept_invalid_cert == Some(false);
let tls_type = if can_reuse_cached_probe {
cached_tls_type.unwrap_or(TlsType::Rustls)
} else {
TlsType::Rustls
};
Ok(create_http_client_with_url_(
url,
tls_url,
tls_type,
can_reuse_cached_probe,
Some(false),
Some(false),
))
}

fn create_http_client_with_url_(
url: &str,
tls_url: &str,
Expand Down Expand Up @@ -247,6 +275,33 @@ pub async fn create_http_client_async_with_url(url: &str) -> AsyncClient {
.await
}

pub async fn create_http_client_async_with_url_strict(url: &str) -> ResultType<AsyncClient> {
let parsed_url = url::Url::parse(url)?;
if parsed_url.scheme() != "https" {
bail!("Strict HTTP client requires HTTPS: {}", url);
}
let proxy_conf = Config::get_socks();
let tls_url = get_url_for_tls(url, &proxy_conf);
let cached_tls_type = get_cached_tls_type(tls_url);
let cached_danger_accept_invalid_cert = get_cached_tls_accept_invalid_cert(tls_url);
let can_reuse_cached_probe =
cached_tls_type.is_some() && cached_danger_accept_invalid_cert == Some(false);
let tls_type = if can_reuse_cached_probe {
cached_tls_type.unwrap_or(TlsType::Rustls)
} else {
TlsType::Rustls
};
Ok(create_http_client_async_with_url_(
url,
tls_url,
tls_type,
can_reuse_cached_probe,
Some(false),
Some(false),
)
.await)
}

#[async_recursion]
async fn create_http_client_async_with_url_(
url: &str,
Expand Down
99 changes: 94 additions & 5 deletions src/updater.rs
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
use crate::{common::do_check_software_update, hbbs_http::create_http_client_with_url};
use crate::{common::do_check_software_update, hbbs_http::create_http_client_with_url_strict};
use hbb_common::{bail, config, log, ResultType};
use std::{
io::Write,
path::PathBuf,
path::{Component, Path, PathBuf},
sync::{
atomic::{AtomicUsize, Ordering},
mpsc::{channel, Receiver, Sender},
Expand Down Expand Up @@ -153,7 +153,7 @@ fn check_update(manually: bool) -> ResultType<()> {
format!("{}/rustdesk-{}-x86-sciter.exe", download_url, version)
};
log::debug!("New version available: {}", &version);
let client = create_http_client_with_url(&download_url);
let client = create_http_client_with_url_strict(&download_url)?;
let Some(file_path) = get_download_file_from_url(&download_url) else {
bail!("Failed to get the file path from the URL: {}", download_url);
};
Expand Down Expand Up @@ -291,7 +291,96 @@ fn update_new_version(update_msi: bool, version: &str, file_path: &PathBuf) {
}
}

pub fn get_download_file_from_url(url: &str) -> Option<PathBuf> {
let filename = url.split('/').last()?;
pub fn get_update_download_file_from_url(url: &str) -> Option<PathBuf> {
let parsed = url::Url::parse(url).ok()?;
// Check the raw prefix before Url normalizes default ports.
if !url.starts_with("https://github.com/")
|| parsed.scheme() != "https"
|| parsed.host_str() != Some("github.com")
|| !parsed.username().is_empty()
|| parsed.password().is_some()
|| parsed.port().is_some()
|| parsed.query().is_some()
|| parsed.fragment().is_some()
{
return None;
}

let mut segments = parsed.path_segments()?;
let owner = segments.next()?;
let repo = segments.next()?;
let releases = segments.next()?;
let download = segments.next()?;
let tag = segments.next()?;
let filename = segments.next()?;

if owner != "rustdesk"
|| repo != "rustdesk"
|| releases != "releases"
|| download != "download"
|| tag.is_empty()
|| segments.next().is_some()
|| !is_plain_update_filename(filename)
{
return None;
}

Some(std::env::temp_dir().join(filename))
}

fn is_plain_update_filename(filename: &str) -> bool {
if filename.is_empty()
|| filename.contains('/')
|| filename.contains('\\')
|| filename.contains(':')
{
return false;
}

let mut components = Path::new(filename).components();
matches!(
components.next(),
Some(Component::Normal(name)) if name.to_str() == Some(filename)
) && components.next().is_none()
}

pub fn get_download_file_from_url(url: &str) -> Option<PathBuf> {
get_update_download_file_from_url(url)
}

#[cfg(test)]
mod tests {
use super::get_download_file_from_url;

#[test]
fn update_download_file_accepts_expected_github_asset_urls() {
let file = get_download_file_from_url(
"https://github.com/rustdesk/rustdesk/releases/download/1.4.0/rustdesk-1.4.0-x86_64.dmg",
)
.expect("valid GitHub release asset URL");

assert_eq!(
file.file_name().and_then(|name| name.to_str()),
Some("rustdesk-1.4.0-x86_64.dmg")
);
}

#[test]
fn update_download_file_rejects_untrusted_or_malformed_urls() {
for url in [
"http://github.com/rustdesk/rustdesk/releases/download/1/rustdesk.exe",
"https://example.com/rustdesk.exe",
"https://github.com/other/project/releases/download/1/rustdesk.exe",
"https://github.com/rustdesk/rustdesk/releases/download/1/",
"https://github.com/rustdesk/rustdesk/releases/download/1/nested/rustdesk.exe",
"https://github.com/rustdesk/rustdesk/releases/download/1/C:rustdesk.exe",
"https://user@github.com/rustdesk/rustdesk/releases/download/1/rustdesk.exe",
"https://github.com:443/rustdesk/rustdesk/releases/download/1/rustdesk.exe",
"https://github.com/rustdesk/rustdesk/releases/download/1/rustdesk.exe?download=1",
"https://github.com/rustdesk/rustdesk/releases/download/1/rustdesk.exe#download",
"not a url",
] {
assert!(get_download_file_from_url(url).is_none(), "{url}");
}
}
}
Loading