fix(push): enforce per-stream push authentication (S-8); remove webhook egress guard; triage remaining findings#29
Merged
Conversation
…indings Push ingest previously accepted any client that knew a registered stream code — the per-stream StreamKey was defined in the data model but never checked. Wire it: - RTMP publishers supply the secret as ?key=<secret> on the publish URL; the query is stripped from the stream name so routing is unaffected. - The RTMP server resolves a stream's configured StreamKey via a resolver (publisher in-memory table for live + auto-publish runtime streams, with a store+template fallback for configured streams) and constant-time- compares before claiming the registry slot. An empty key opts the stream out (backward-compatible). - Auto-publish enforces the matching template's StreamKey before materialising the runtime stream, so an unauthorised push never starts a pipeline. Also remove the webhook egress dial guard (and delete the now-unused guard package): webhooks legitimately target private/local endpoints, the admin API that made it reachable is authenticated, and delivery is blind POST — so the guard blocked a real use case for negligible benefit. Audit doc: S-8 marked fixed; the webhook-SSRF and the remaining MEDIUM/LOW findings (secrets in logs/metrics/store, playlist-param nuisance, local unix socket, proxy-trusted client IP, profiling endpoint) marked accepted with rationale. Tests: push key + secret-parse + auto-publish key enforcement. make check green (build + vet + lint + test -race).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Closes out the security triage: fixes the one remaining real gap (S-8) and removes a guard that blocked a legitimate use case; the rest of the open MEDIUM/LOW findings are risk-accepted with rationale in the audit doc.
S-8 — push ingest now authenticated (the fix)
Push ingest previously accepted any client that knew a registered stream code — the per-stream
StreamKeywas in the data model but never checked.?key=<secret>on the publish URL; the query is stripped from the stream name, so routing is unaffected.StreamKeyvia a resolver (publisher in-memory table for live + auto-publish runtime streams, with a store+template fallback for configured streams — mirroring the media-authPolicyResolver) and constant-time-compares it before claiming the registry slot. A mismatch is rejected before any slot/pipeline state changes.StreamKeyopts the stream out (unauthenticated, backward-compatible).StreamKeyinsideResolveOrCreatebefore materialising the runtime stream, so an unauthorised push never starts a pipeline.Operational note: after deploy, any stream with a configured
stream_keywill require encoders to push with?key=…; streams without a key are unaffected.Webhook egress guard removed
The
internal/netguarddial guard on the webhook client (and the package) is removed: webhooks legitimately target private/local endpoints (sidecar collectors, internal services on loopback), the admin API that made it reachable is now authenticated, and delivery is blind POST — so the guard blocked a real use case for negligible benefit.Triage (audit doc)
Tests
TestPushKeyOK,TestPushSecretFromQuery,TestResolveOrCreate_StreamKeyEnforced.make checkgreen (build + vet + lint 0 issues + test -race, 31 packages).Residual (noted, not in scope)
Concurrent-runtime-stream cap + per-source-IP rate-limit (DoS hardening, orthogonal to the auth gap); SRT push has no server in the codebase so there is nothing to gate there.