arian/navidrome
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

feat(plugins): add HTTP host service (#5095)

Browse Source 
* feat(httpclient): implement HttpClient service for outbound HTTP requests in plugins

Signed-off-by: Deluan <deluan@navidrome.org>

* feat(httpclient): enhance SSRF protection by validating host requests against private IPs

Signed-off-by: Deluan <deluan@navidrome.org>

* feat(httpclient): support DELETE requests with body in HttpClient service

Signed-off-by: Deluan <deluan@navidrome.org>

* feat(httpclient): refactor HTTP client initialization and enhance redirect handling

Signed-off-by: Deluan <deluan@navidrome.org>

* refactor(http): standardize naming conventions for HTTP types and methods

Signed-off-by: Deluan <deluan@navidrome.org>

* refactor example plugin to use host.HTTPSend for improved error management

Signed-off-by: Deluan <deluan@navidrome.org>

* fix(plugins): fix IPv6 SSRF bypass and wildcard host matching

Fix two bugs in the plugin HTTP/WebSocket host validation:

1. extractHostname now strips IPv6 brackets when no port is present
(e.g. "[::1]" → "::1"). Previously, net.SplitHostPort failed for
bracketed IPv6 without a port, leaving brackets intact. This caused
net.ParseIP to return nil, bypassing the private/loopback SSRF guard.

2. matchHostPattern now treats "*" as an allow-all pattern. Previously,
a bare "*" only matched via exact equality, so plugins declaring
requiredHosts: ["*"] (like webhook-rs) had all requests rejected.

---------

Signed-off-by: Deluan <deluan@navidrome.org>
This commit is contained in:
Deluan Quintão
2026-02-24 14:28:36 -05:00
committed by GitHub
parent 2bb13e5ff1
commit 652c27690b
14 changed files with 1228 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
plugins/host_websocket_test.go
+6
View File
@@ -575,6 +575,12 @@ var _ = Describe("WebSocketService", Ordered, func() {
Expect(matchHostPattern("*.example.com", "deep.api.example.com")).To(BeTrue())
})
It("should match bare '*' as allow-all", func() {
Expect(matchHostPattern("*", "anything.example.com")).To(BeTrue())
Expect(matchHostPattern("*", "127.0.0.1")).To(BeTrue())
Expect(matchHostPattern("*", "::1")).To(BeTrue())
})
It("should not match partial patterns", func() {
Expect(matchHostPattern("*.example.com", "example.com.evil.org")).To(BeFalse())
})