mirror of
https://github.com/navidrome/navidrome.git
synced 2026-02-25 11:26:03 -05:00
652c27690b
* feat(httpclient): implement HttpClient service for outbound HTTP requests in plugins Signed-off-by: Deluan <deluan@navidrome.org> * feat(httpclient): enhance SSRF protection by validating host requests against private IPs Signed-off-by: Deluan <deluan@navidrome.org> * feat(httpclient): support DELETE requests with body in HttpClient service Signed-off-by: Deluan <deluan@navidrome.org> * feat(httpclient): refactor HTTP client initialization and enhance redirect handling Signed-off-by: Deluan <deluan@navidrome.org> * refactor(http): standardize naming conventions for HTTP types and methods Signed-off-by: Deluan <deluan@navidrome.org> * refactor example plugin to use host.HTTPSend for improved error management Signed-off-by: Deluan <deluan@navidrome.org> * fix(plugins): fix IPv6 SSRF bypass and wildcard host matching Fix two bugs in the plugin HTTP/WebSocket host validation: 1. extractHostname now strips IPv6 brackets when no port is present (e.g. "[::1]" → "::1"). Previously, net.SplitHostPort failed for bracketed IPv6 without a port, leaving brackets intact. This caused net.ParseIP to return nil, bypassing the private/loopback SSRF guard. 2. matchHostPattern now treats "*" as an allow-all pattern. Previously, a bare "*" only matched via exact equality, so plugins declaring requiredHosts: ["*"] (like webhook-rs) had all requests rejected. --------- Signed-off-by: Deluan <deluan@navidrome.org>
60 lines
1.8 KiB
Python
60 lines
1.8 KiB
Python
# Code generated by ndpgen. DO NOT EDIT.
|
|
#
|
|
# This file contains client wrappers for the HTTP host service.
|
|
# It is intended for use in Navidrome plugins built with extism-py.
|
|
#
|
|
# IMPORTANT: Due to a limitation in extism-py, you cannot import this file directly.
|
|
# The @extism.import_fn decorators are only detected when defined in the plugin's
|
|
# main __init__.py file. Copy the needed functions from this file into your plugin.
|
|
|
|
from dataclasses import dataclass
|
|
from typing import Any
|
|
|
|
import extism
|
|
import json
|
|
|
|
|
|
class HostFunctionError(Exception):
|
|
"""Raised when a host function returns an error."""
|
|
pass
|
|
|
|
|
|
@extism.import_fn("extism:host/user", "http_send")
|
|
def _http_send(offset: int) -> int:
|
|
"""Raw host function - do not call directly."""
|
|
...
|
|
|
|
|
|
def http_send(request: Any) -> Any:
|
|
"""Send executes an HTTP request and returns the response.
|
|
|
|
Parameters:
|
|
- request: The HTTP request to execute, including method, URL, headers, body, and timeout
|
|
|
|
Returns the HTTP response with status code, headers, and body.
|
|
Network errors, timeouts, and permission failures are returned as errors.
|
|
Successful HTTP calls (including 4xx/5xx status codes) return a non-nil response with nil error.
|
|
|
|
Args:
|
|
request: Any parameter.
|
|
|
|
Returns:
|
|
Any: The result value.
|
|
|
|
Raises:
|
|
HostFunctionError: If the host function returns an error.
|
|
"""
|
|
request = {
|
|
"request": request,
|
|
}
|
|
request_bytes = json.dumps(request).encode("utf-8")
|
|
request_mem = extism.memory.alloc(request_bytes)
|
|
response_offset = _http_send(request_mem.offset)
|
|
response_mem = extism.memory.find(response_offset)
|
|
response = json.loads(extism.memory.string(response_mem))
|
|
|
|
if response.get("error"):
|
|
raise HostFunctionError(response["error"])
|
|
|
|
return response.get("result", None)
|